Bug 1276437 (CVE-2015-7990)

Summary: CVE-2015-7990 kernel: Race condition when sending message on unbound socket causing NULL pointer dereference
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, aquini, arm-mgr, bhu, carnil, dhoward, esammons, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, joelsmith, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, kstutsma, lgoncalv, lwang, madhu.chinakonda, matt, mchehab, mcressma, mguzik, mrg-program-list, nmurray, pholasek, plougher, rvrbovsk, slawomir, slong, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A denial of service flaw was discovered in the Linux kernel, where a race condition caused a NULL pointer dereference in the RDS socket-creation code. A local attacker could use this flaw to create a situation in which a NULL pointer crashed the kernel.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-12 01:24:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1276438, 1287424, 1287425, 1287426, 1287427, 1287428    
Bug Blocks: 1276439    

Description Adam Mariš 2015-10-29 17:17:01 UTC 
A NULL pointer dereference in the RDS connection code when sending a message to an apparently unbound socket in net/rds/connection.c was found. The problem is caused by the code checking if the socket is bound in rds_sendmsg(), which checks the rs_bound_addr field without taking a lock on the socket.  This opens a race where rs_bound_addr is temporarily set but where the transport is not in rds_bind(), leading to a NULL pointer dereference when trying to dereference 'trans' in __rds_conn_create().

Note that this is a complete fix of CVE-2015-6937 issue.

Patch can be found here:

https://lkml.org/lkml/2015/10/16/530

CVE assignment:

http://seclists.org/oss-sec/2015/q4/179

Workaround:

The Linux kernel will attempt to automatically load the RDS module when the RDS protocol is used from userspace.  The module can be prevented being loaded with the commands:

echo "install rds /bin/true" > /etc/modprobe.d/disable-rds
echo "alias net-pf-28 off" >> /etc/modprobe.d/disable-rds

Earlier versions of Red Hat Enterprise Linux can be disabled with instructions from here: https://access.redhat.com/solutions/41278 

If the module is already loaded prior to this, it must be removed or the system must be rebooted to preven it loading in the future.
Comment 1 Adam Mariš 2015-10-29 17:17:45 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1276438]
Comment 2 Fedora Update System 2015-11-19 09:55:59 UTC 
kernel-4.2.6-300.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2015-11-19 12:21:07 UTC 
kernel-4.2.6-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2015-11-20 23:20:44 UTC 
kernel-4.1.13-100.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Wade Mealing 2016-02-01 03:49:44 UTC 
Statement:

This issue affects Red Hat enterprise Linux 5 and 6.  The affected code is not available in 7, MRG and realtime kernels.