Bug 1397930 (CVE-2016-9555)

Summary: CVE-2016-9555 kernel: Slab out-of-bounds access in sctp_sf_ootb()
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aquini, arm-mgr, awestbro, bhu, dhoward, fhrbata, gansalmon, iboverma, ichavero, itamar, jforbes, jkacur, joelsmith, jonathan, jross, jwboyer, kabbott, kernel-maint, kernel-mgr, labbott, lgoncalv, madhu.chinakonda, matt, mchehab, mcressma, nmurray, pholasek, plougher, ppandit, rt-maint, rvrbovsk, slawomir, vdronov, williams, wmealing, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's implementation of the SCTP protocol. A remote attacker could trigger an out-of-bounds read with an offset of up to 64kB potentially causing the system to crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:02:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1397931, 1399455, 1399456, 1399457, 1399458, 1399459, 1399460, 1399461, 1399462, 1399463    
Bug Blocks: 1397933    

Description Adam Mariš 2016-11-23 15:26:49 UTC 
A flaw was found in the Linux kernels implementation of sctp protocol in which a remote attacker can trigger an out of bounds read with an offset of up to 64kB.  This may panic the machine with a page-fault and the out-of-bounds data does not seem to be returned to the remote attacker.

For this attack to be sucessful, the kernel needs to have both the SCTP protocol module loaded and a process listening as an SCTP server.

Upstream patch:

https://github.com/torvalds/linux/commit/bf911e985d6bbaa328c20c3e05f4eb03de11fdd6

CVE assignment:

http://seclists.org/oss-sec/2016/q4/509
Comment 1 Adam Mariš 2016-11-23 15:27:43 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1397931]
Comment 2 Justin M. Forbes 2016-11-23 17:51:38 UTC 
This issue was resolved in the 4.8.8 stable release and was released as an update to all supported Fedora versions.
Comment 3 Wade Mealing 2016-11-29 05:42:57 UTC 
Statement:

This issue affects the Linux kernels as shipped with Red Hat Enterprise Linux 5, 6, 7, MRG-2 and realtime and will be addressed in future updates.
Comment 14 errata-xmlrpc 2017-01-17 18:02:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2017:0113 https://rhn.redhat.com/errata/RHSA-2017-0113.html
Comment 15 errata-xmlrpc 2017-01-17 18:17:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:0086 https://rhn.redhat.com/errata/RHSA-2017-0086.html
Comment 16 errata-xmlrpc 2017-01-17 18:25:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:0091 https://rhn.redhat.com/errata/RHSA-2017-0091.html
Comment 17 errata-xmlrpc 2017-02-23 17:40:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0307 https://rhn.redhat.com/errata/RHSA-2017-0307.html