Bug 1391490 (CVE-2016-8633)

Summary: CVE-2016-8633 kernel: Buffer overflow in firewire driver via crafted incoming packets
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aquini, bhu, carnil, dhoward, fhrbata, iboverma, jkacur, joelsmith, jross, kernel-mgr, lgoncalv, matt, mcressma, mmilgram, nmurray, pholasek, plougher, rvrbovsk, security-response-team, vdronov, williams, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A buffer overflow vulnerability due to a lack of input filtering of incoming fragmented datagrams was found in the IP-over-1394 driver [firewire-net] in a fragment handling code in the Linux kernel. The vulnerability exists since firewire supported IPv4, i.e. since version 2.6.31 (year 2009) till version v4.9-rc4. A maliciously formed fragment with a respectively large datagram offset would cause a memcpy() past the datagram buffer, which would cause a system panic or possible arbitrary code execution. The flaw requires [firewire-net] module to be loaded and is remotely exploitable from connected firewire devices, but not over a local network.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:01:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1392294, 1393791, 1393792, 1393793, 1393794, 1393797, 1695819    
Bug Blocks: 1391492    

Description Adam Mariš 2016-11-03 12:30:35 UTC 
A buffer overflow vulnerability due to a lack of input filtering of incoming fragmented datagrams was found in the IP-over-1394 driver [firewire-net] in fragment handling code in the Linux kernel. The vulnerability exists since firewire supported IPv4, i.e. since version 2.6.31 (year 2009) till version v4.9-rc4. A maliciously formed fragment with a respectively large datagram_offset would cause a memcpy past the datagram buffer, which would cause a system panic or possible arbitrary code execution.

The flaw requires [firewire-net] module to be loaded and is remotely exploitable from connected firewire devices, but not over a local network. In general, IP packets enclosed in the firewire frames are completely in spec. In situations when firewire and ipv4 networking is used, the systems are frequently a part of clustering sofware. They would be daisy chained from a single machine with a network connection: GATEWAY <-> HOST1 <-> HOST2 <-> HOST3 <-> HOSTN. So, the gateway could be connected to the internet, and this is how fragmented packets could get to the system. So, while arbitrary code execution is possible, the hardware configuration required for this is special and rare.

Proposed patch:

https://git.kernel.org/cgit/linux/kernel/git/ieee1394/linux1394.git/commit/?h=testing&id=ff89027279ec57d69797cbae7c681672f1dbea71

An upstream patch and merge:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=667121ace9db
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=03daa36f089f

Public message:

http://seclists.org/oss-sec/2016/q4/347

A research on the flaw:

https://eyalitkin.wordpress.com/2016/11/06/cve-publication-cve-2016-8633/
Comment 1 Adam Mariš 2016-11-03 12:30:52 UTC 
Acknowledgments:

Name: Eyal Itkin
Comment 2 Adam Mariš 2016-11-07 06:51:56 UTC 
Upstream patch:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=667121ace9db

Public via:

http://seclists.org/oss-sec/2016/q4/347
Comment 3 Adam Mariš 2016-11-07 06:53:00 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1392294]
Comment 9 Vladis Dronov 2016-11-10 11:18:33 UTC 
Statement:

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG 2.x. This issue has been rated as having Moderate security impact. Future Linux kernel updates for the respective releases might address this issue.
Comment 11 errata-xmlrpc 2018-04-10 08:03:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0676 https://access.redhat.com/errata/RHSA-2018:0676
Comment 12 errata-xmlrpc 2018-04-10 09:27:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1062 https://access.redhat.com/errata/RHSA-2018:1062
Comment 16 errata-xmlrpc 2019-05-14 19:08:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:1170 https://access.redhat.com/errata/RHSA-2019:1170
Comment 17 errata-xmlrpc 2019-05-14 20:26:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2019:1190 https://access.redhat.com/errata/RHSA-2019:1190