Bug 1426542 (CVE-2017-6214)

Summary: CVE-2017-6214 kernel: ipv4/tcp: Infinite loop in tcp_splice_read()
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: afox, alexandre.chanu, aquini, bhu, dhoward, dominik.mierzejewski, fhrbata, gansalmon, iboverma, ichavero, itamar, jforbes, jkacur, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, madhu.chinakonda, matt, mchehab, mcressma, nmurray, pholasek, plougher, rt-maint, rvrbovsk, slawomir, slong, williams, wmealing, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's handling of packets with the URG flag. Applications using the splice() and tcp_splice_read() functionality could allow a remote attacker to force the kernel to enter a condition in which it could loop indefinitely.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:08:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1430577, 1430578, 1430579, 1430580, 1430581, 1430582, 1430583, 1430584, 1430585    
Bug Blocks: 1426543    

Description Andrej Nemec 2017-02-24 09:00:20 UTC 
A flaw was found in the Linux kernels handling of packets with the URG flag.  Applications using the splice() and tcp_splice_read() functionality can allow a remote attacker to force the kernel to enter a condition in which it can loop indefinitely.


Upstream patch:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ccf7abb93af09ad0868ae9033d1ca8108bdaec82

References:

https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.11
http://seclists.org/oss-sec/2017/q1/491
Comment 10 Wade Mealing 2017-03-09 01:41:38 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1430585]
Comment 11 Wade Mealing 2017-03-09 02:29:19 UTC 
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 as the code with the flaw is not present in the products listed.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG-2. Future Linux kernel updates for the respective releases might address this issue.
Comment 12 Justin M. Forbes 2017-03-09 19:52:46 UTC 
As mentioned in the original comment, this was fixed in upstream 4.9.11.  This update was shipped to all stable Fedora updates on February 24, 2017
Comment 14 errata-xmlrpc 2017-05-30 17:06:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:1372 https://access.redhat.com/errata/RHSA-2017:1372
Comment 15 errata-xmlrpc 2017-06-28 16:36:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2017:1647 https://access.redhat.com/errata/RHSA-2017:1647
Comment 16 errata-xmlrpc 2017-06-28 17:04:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1615 https://access.redhat.com/errata/RHSA-2017:1615
Comment 17 errata-xmlrpc 2017-06-28 17:08:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1616 https://access.redhat.com/errata/RHSA-2017:1616