Bug 1479304 (CVE-2017-1000111)

Summary: CVE-2017-1000111 kernel: Heap out-of-bounds read in AF_PACKET sockets
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aquini, bhu, blc, chorn, dhoward, fhrbata, gansalmon, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jforbes, jkacur, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, madhu.chinakonda, matt, mchehab, mcressma, mlangsdo, mmezynsk, mmilgram, nmurray, pholasek, plougher, pmatouse, rt-maint, rvrbovsk, security-response-team, slawomir, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A race condition issue was found in the way the raw packet socket implementation in the Linux kernel networking subsystem handled synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this to waste resources in the kernel's ring buffer or possibly cause an out-of-bounds read on the heap leading to a system crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:20:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1480464, 1481926, 1481927, 1481937, 1481938, 1481939, 1481940, 1481941, 1481942, 1481943    
Bug Blocks: 1479308    

Description Andrej Nemec 2017-08-08 10:45:41 UTC 
A race condition issue was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this to waste resources in the kernels ring buffer or possibly cause a read-out-of-bounds on the heap possibly panicking the machine.

In a default or common use of Red Hat Enterprise Linux 6 and 7 this issue does not allow an unprivileged local user to use this functionality.

In order to exploit this issue the attacker needs CAP_NET_RAW capability, which needs to be granted by the administrator to the attacker's account. Since Red Hat Enterprise Linux does not have unprivileged user namespaces enabled by default, local unprivileged users also cannot abuse namespaces to grant this capability.

Upstream patch:
http://patchwork.ozlabs.org/patch/800274/
Comment 1 Andrej Nemec 2017-08-08 10:45:51 UTC 
Acknowledgments:

Name: Willem de Bruijn
Comment 5 Adam Mariš 2017-08-11 08:07:19 UTC 
Public via:

http://seclists.org/oss-sec/2017/q3/279
Comment 6 Adam Mariš 2017-08-11 08:08:35 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1480464]
Comment 9 errata-xmlrpc 2017-10-19 13:26:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2017:2918 https://access.redhat.com/errata/RHSA-2017:2918
Comment 10 errata-xmlrpc 2017-10-19 15:06:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2930 https://access.redhat.com/errata/RHSA-2017:2930
Comment 11 errata-xmlrpc 2017-10-19 15:10:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2931 https://access.redhat.com/errata/RHSA-2017:2931
Comment 14 errata-xmlrpc 2017-11-14 20:38:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:3200 https://access.redhat.com/errata/RHSA-2017:3200
Comment 15 Eric Christensen 2018-09-13 14:00:57 UTC 
Statement:

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7, and MRG-2.

Future Linux kernel updates for the respective releases may address this issue.