|Summary:||CVE-2015-7990 kernel: Race condition when sending message on unbound socket causing NULL pointer dereference|
|Product:||[Other] Security Response||Reporter:||Adam Mariš <amaris>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED NOTABUG||QA Contact:|
|Version:||unspecified||CC:||agordeev, aquini, arm-mgr, bhu, carnil, dhoward, esammons, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, joelsmith, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, kstutsma, lgoncalv, lwang, madhu.chinakonda, matt, mchehab, mcressma, mguzik, mrg-program-list, nmurray, pholasek, plougher, rvrbovsk, slawomir, slong, williams, wmealing|
|Fixed In Version:||Doc Type:||Bug Fix|
A denial of service flaw was discovered in the Linux kernel, where a race condition caused a NULL pointer dereference in the RDS socket-creation code. A local attacker could use this flaw to create a situation in which a NULL pointer crashed the kernel.
|Last Closed:||2016-05-12 01:24:57 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1276438, 1287424, 1287425, 1287426, 1287427, 1287428|
Description Adam Mariš 2015-10-29 17:17:01 UTC
A NULL pointer dereference in the RDS connection code when sending a message to an apparently unbound socket in net/rds/connection.c was found. The problem is caused by the code checking if the socket is bound in rds_sendmsg(), which checks the rs_bound_addr field without taking a lock on the socket. This opens a race where rs_bound_addr is temporarily set but where the transport is not in rds_bind(), leading to a NULL pointer dereference when trying to dereference 'trans' in __rds_conn_create(). Note that this is a complete fix of CVE-2015-6937 issue. Patch can be found here: https://lkml.org/lkml/2015/10/16/530 CVE assignment: http://seclists.org/oss-sec/2015/q4/179 Workaround: The Linux kernel will attempt to automatically load the RDS module when the RDS protocol is used from userspace. The module can be prevented being loaded with the commands: echo "install rds /bin/true" > /etc/modprobe.d/disable-rds echo "alias net-pf-28 off" >> /etc/modprobe.d/disable-rds Earlier versions of Red Hat Enterprise Linux can be disabled with instructions from here: https://access.redhat.com/solutions/41278 If the module is already loaded prior to this, it must be removed or the system must be rebooted to preven it loading in the future.
Comment 1 Adam Mariš 2015-10-29 17:17:45 UTC
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1276438]
Comment 2 Fedora Update System 2015-11-19 09:55:59 UTC
kernel-4.2.6-300.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2015-11-19 12:21:07 UTC
kernel-4.2.6-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2015-11-20 23:20:44 UTC
kernel-4.1.13-100.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Wade Mealing 2016-02-01 03:49:44 UTC
Statement: This issue affects Red Hat enterprise Linux 5 and 6. The affected code is not available in 7, MRG and realtime kernels.