Bug 1354525 (CVE-2016-6327)

Summary: CVE-2016-6327 kernel: infiniband: Kernel crash by sending ABORT_TASK command
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aquini, bhu, dhoward, fhrbata, honli, iboverma, jkacur, joelsmith, jross, kernel-mgr, kstutsma, lgoncalv, matt, mcressma, nmurray, plougher, rvrbovsk, security-response-team, slawomir, vdronov, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
System using the infiniband support module ib_srpt were vulnerable to a denial of service by system crash by a local attacker who is able to abort writes to a device using this initiator.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:56:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1342604, 1368307, 1368308, 1368309, 1368310, 1368311    
Bug Blocks: 1354527    

Description Adam Mariš 2016-07-11 13:40:33 UTC
System using the infiniband support module ib_srpt were vulnerable to a denial of service by system crash by a local attacker who is able to abort writes to a device using this initiator.

There were multiple areas in which aborting a scsi command are able to be handled, moving this to the correct location in the state machine ensured that this condition was never triggered through this code path.\

The null pointer situation was enabled via a non attacker controlled memset, and this is not a use after free.

Product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1342604

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=51093254bf87

http://seclists.org/oss-sec/2016/q3/334

Comment 4 Wade Mealing 2016-08-19 04:06:39 UTC
Statement:

This issue affects Red Hat Enterprise Linux 7 and MRG-2 kernels and will be addressed in a future update.  This issue does not affect Red Hat Enterprise Linux 5 and 6 systems.

Comment 7 errata-xmlrpc 2016-11-03 17:06:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html

Comment 8 errata-xmlrpc 2016-11-03 19:54:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html

Comment 9 errata-xmlrpc 2016-11-03 21:36:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html

Comment 10 errata-xmlrpc 2016-11-03 21:44:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html