Bug 1290475 (CVE-2015-8543)
Summary: | CVE-2015-8543 kernel: IPv6 connect causes DoS via NULL pointer dereference | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aquini, arm-mgr, bhu, carnil, dhoward, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, joelsmith, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, kstutsma, lgoncalv, madhu.chinakonda, matt, mchehab, mcressma, mrg-program-list, nmurray, plougher, rvrbovsk, slawomir, slong, vdronov, williams, yozone |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
A NULL pointer dereference flaw was found in the way the Linux kernel's network subsystem handled socket creation with an invalid protocol identifier. A local user could use this flaw to crash the system.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-08 02:46:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1290477, 1291618, 1291627, 1293673, 1334846, 1334847 | ||
Bug Blocks: | 1290479 |
Description
Adam Mariš
2015-12-10 15:56:57 UTC
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1290477] This issue got CVE-2015-8543 for Android kernel. Linux kernel might get as well if bugs appear when sk->sk_prot->get_port is NULL. http://seclists.org/oss-sec/2015/q4/473 Upstream bugfix: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=79462ad02e861803b3840cc782248c7359451cd9 Description: A flaw was found in the kernel network stack in the inet_autobind() function in the net/ipv4/af_inet.c file. AF_INET and AF_INET6 sockets only support 8-bit protocol identifiers, thus if larger protocol identifier is provided, the higher bits are cut off. A connect() call on the incorrectly created SOCK_RAW socket could lead to the NULL function call. SOCK_RAW socket can be created by an unprivileged user if the kernel supports CLONE_NEWUSER or by an unprivileged user with CAP_NET_RAW capability. If the system settings allow allocation of the memory page with address zero this can lead to an arbitrary code execution and priviliges escalation, otherwise to the kernel crash and DoS. References: http://seclists.org/oss-sec/2015/q4/456 https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=79462ad02e861803b3840cc782248c7359451cd9 Statement: This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG-2. Future updates for the respective releases may address the issue. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 5. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. kernel-4.2.8-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. kernel-4.2.8-300.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0855 https://rhn.redhat.com/errata/RHSA-2016-0855.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html |