Bug 1466329 (CVE-2017-8797)

Summary: CVE-2017-8797 kernel: NFSv4 server does not properly validate layout type when processing NFSv4 pNFS LAYOUTGET operand
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aquini, bhu, dhoward, dominik.mierzejewski, fhrbata, gansalmon, hannsj_uhl, hwkernel-mgr, iboverma, ichavero, itamar, jforbes, jkacur, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, madhu.chinakonda, matt, mchehab, mcressma, nmurray, pholasek, plougher, pmatouse, rt-maint, rvrbovsk, slawomir, vdronov, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:15:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1460365, 1464919, 1466330, 1466899, 1466901, 1466902, 1466903, 1466904, 1466905    
Bug Blocks: 1466331    

Description Adam Mariš 2017-06-29 12:48:58 UTC 
The NFSv4 server in the Linux kernel does not properly validate layout type when processing NFSv4 pNFS LAYOUTGET operand. The provided input value is not properly validated and is used for array dereferencing. OOPS is triggered which leads to DoS of knfsd and eventually to soft-lockup of whole system. In addition, on normal processing path there is a C undefined behavior weakness that can lead to out of bounds array dereferencing.

The attack vector requires that the attack host is within host mask of exported NFSv4 mount or source address spoofing is not properly mitigated in the network. The attack payload fits to single one-way UDP packet. The kernel must be compiled with CONFIG_NFSD_PNFS enabled.

References:

http://seclists.org/oss-sec/2017/q2/615

Upstream fixes:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b550a32e60a4941994b437a8d662432a486235a5

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f961e3f2acae94b727380c0b74e2d3954d0edf79
Comment 1 Adam Mariš 2017-06-29 12:49:41 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1466330]
Comment 6 Vladislav Dronov 2017-06-30 17:51:13 UTC 
Statement:

This issue does not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5, 6 as the code with the flaw is not present in the products listed.

This issue affects the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 7 and Red Hat Enterprise MRG 2. Future kernel updates for these products may address this issue.
Comment 7 errata-xmlrpc 2017-08-01 19:17:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2077 https://access.redhat.com/errata/RHSA-2017:2077
Comment 9 errata-xmlrpc 2017-08-02 07:57:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1842 https://access.redhat.com/errata/RHSA-2017:1842
Comment 10 errata-xmlrpc 2017-08-08 16:21:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Extended Update Support

Via RHSA-2017:2437 https://access.redhat.com/errata/RHSA-2017:2437
Comment 11 errata-xmlrpc 2017-09-06 20:43:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2017:2669 https://access.redhat.com/errata/RHSA-2017:2669
Comment 12 Justin M. Forbes 2018-01-29 17:22:11 UTC 
This issue was fixed for Fedora in the 4.11.3 stable updates