Bug 1504255 (CVE-2017-15096)

Summary: CVE-2017-15096 glusterfs: Null pointer dereference in send_brick_req function in glusterfsd/src/gf_attach.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: anoopcs, atumball, bmcclain, dblechte, eedri, humble.devassy, jeff, jonathansteffan, kkeithle, mgoldboi, michal.skrivanek, ndevos, ramkrsna, rhs-bugs, sankarshan, sherold, sisharma, smohan, ssaha, vbellur, ykaul, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-27 08:10:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1503394, 1504256, 1505212, 1505370    
Bug Blocks: 1504257    

Description Pedro Sampaio 2017-10-19 19:41:12 UTC 
A flaw was found in glusterfs. A null pointer dereference in in send_brick_req function in glusterfsd/src/gf_attach.c may cause local denial of service.  

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1502928
Comment 1 Pedro Sampaio 2017-10-19 19:41:57 UTC 
Created glusterfs tracking bugs for this issue:

Affects: fedora-all [bug 1504256]
Comment 2 Siddharth Sharma 2017-10-26 16:11:05 UTC 
Analysis

Only local DoS of glusterfsd is possible with this. Impact of this flaw is low.
Comment 3 Jeff Darcy 2017-10-27 05:51:54 UTC 
It's not even a DoS of glusterfsd.  Worst case is that gf_attach runs out of memory, which would be a failure anyway, and then fails with a SIGSEGV in STACK_DESTROY (the other two functions check for NULL) instead of ENOMEM.  Not sure GlusterD (management daemon) would even notice the difference, and even if it did that would only affect adding or removing bricks.  Other management operations, and the entire I/O path, would be unaffected.  It's a bug, sure, but it's not clearly a *security* bug at all.
Comment 4 Siddharth Sharma 2017-10-27 08:09:06 UTC 
(In reply to Jeff Darcy from comment #3)
> It's not even a DoS of glusterfsd.  Worst case is that gf_attach runs out of
> memory, which would be a failure anyway, and then fails with a SIGSEGV in
> STACK_DESTROY (the other two functions check for NULL) instead of ENOMEM. 
> Not sure GlusterD (management daemon) would even notice the difference, and
> even if it did that would only affect adding or removing bricks.  Other
> management operations, and the entire I/O path, would be unaffected.  It's a
> bug, sure, but it's not clearly a *security* bug at all.

Hi Jeff,

agreed that is why I set impact of this being low. It is at a border line between low to no security flaw.