Bug 1428907 (CVE-2017-6353)

Summary: CVE-2017-6353 kernel: Possible double free in stcp_sendmsg() (incorrect fix for CVE-2017-5986)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, aquini, bhu, dhoward, esammons, fhrbata, gansalmon, hwkernel-mgr, iboverma, ichavero, itamar, jforbes, jkacur, jkastner, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, lwang, madhu.chinakonda, matt, mchehab, mcressma, mguzik, nmurray, pholasek, plougher, rt-maint, rvrbovsk, vdronov, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that the code in net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. This vulnerability was introduced by CVE-2017-5986 fix (commit 2dcab5984841).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-06 14:03:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1428910, 1429496, 1429497, 1459305    
Bug Blocks: 1420295    

Description Adam Mariš 2017-03-03 15:13:51 UTC 
net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application.

This vulnerability was introduced by CVE-2017-5986 fix (commit 2dcab5984841).

Upstream patch:

https://github.com/torvalds/linux/commit/dfcb9f4f99f1e9a49e43398a7bfbf56927544af1
Comment 1 Adam Mariš 2017-03-03 15:15:13 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1428910]
Comment 4 Vladis Dronov 2017-03-06 14:03:59 UTC 
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6, 7 and MRG-2, as the problem code is not presented in the products listed.
Comment 5 Fedora Update System 2017-03-11 11:51:13 UTC 
kernel-4.9.13-101.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.