Bug 1487295 (CVE-2017-14106)

Summary: CVE-2017-14106 kernel: Divide-by-zero in __tcp_select_window
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: airlied, ajax, aquini, bhu, blc, bskeggs, dhoward, eparis, esandeen, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jglisse, jkacur, jonathan, josef, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nhorman, nmurray, pholasek, plougher, quintela, rt-maint, rvrbovsk, security-response-team, slawomir, vdronov, williams, wmealing, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:23:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1487051, 1487061, 1487703, 1488340, 1488341, 1488342, 1488343, 1488344, 1488345, 1488346, 1488347, 1488348, 1488349    
Bug Blocks: 1487299    

Description Adam Mariš 2017-08-31 14:54:44 UTC 
Divide-by-zero vulnerability was found in __tcp_select_window function which can result into kernel panic causing local denial-of-service if panic_on_oops is enabled.

References:

http://seclists.org/oss-sec/2017/q3/389

https://marc.info/?l=linux-netdev&m=150415901823078

https://www.mail-archive.com/netdev@vger.kernel.org/msg186255.html

https://groups.google.com/forum/#!topic/syzkaller/e4SrsEBEziQ

Upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=499350a5a6e7512d9ed369ed63a4244b6536f4f8
Comment 1 Adam Mariš 2017-09-01 16:18:46 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1487703]
Comment 3 Wade Mealing 2017-09-05 08:07:03 UTC 
Statement:

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6 and 7 and MRG-2. Future Linux kernel updates for the respective releases may address this issue.
Comment 8 Justin M. Forbes 2017-09-05 14:19:25 UTC 
This bug was fixed upstream in May and is currently fixed included in all supported Fedora releases.
Comment 9 errata-xmlrpc 2017-10-19 13:27:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2017:2918 https://access.redhat.com/errata/RHSA-2017:2918
Comment 10 errata-xmlrpc 2017-10-19 15:07:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2930 https://access.redhat.com/errata/RHSA-2017:2930
Comment 11 errata-xmlrpc 2017-10-19 15:11:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2931 https://access.redhat.com/errata/RHSA-2017:2931
Comment 13 errata-xmlrpc 2017-11-14 20:39:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:3200 https://access.redhat.com/errata/RHSA-2017:3200
Comment 14 errata-xmlrpc 2018-07-11 15:39:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5 Extended Lifecycle Support

Via RHSA-2018:2172 https://access.redhat.com/errata/RHSA-2018:2172