Bug 1504574 (CVE-2017-15649)

Summary: CVE-2017-15649 kernel: Use-after-free in the af_packet.c
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: airlied, ajax, aquini, bhu, blc, bskeggs, dhoward, eparis, esandeen, fhrbata, haliu, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jglisse, jkacur, jonathan, josef, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nhorman, nmurray, plougher, quintela, rt-maint, rvrbovsk, slawomir, steved, vdronov, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that fanout_add() in 'net/packet/af_packet.c' in the Linux kernel, before version 4.13.6, allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free bug.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:29:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1490772, 1505392, 1505423, 1505425, 1505426, 1505429, 1505430    
Bug Blocks: 1504575    

Description Andrej Nemec 2017-10-20 09:02:56 UTC 
net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346.

Upstream patches:

https://github.com/torvalds/linux/commit/008ba2a13f2d04c947adc536d19debb8fe66f110
https://github.com/torvalds/linux/commit/4971613c1639d8e5f102c4e797c3bf8f83a5a69e
https://github.com/torvalds/linux/commit/2bd624b4611ffee36422782d16e1c944d1351e98

References:

https://blogs.securiteam.com/index.php/archives/3484
Comment 2 Vladis Dronov 2017-10-23 13:47:58 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1505392]
Comment 8 Vladis Dronov 2017-10-23 15:14:02 UTC 
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 and 6 as a code with the flaw is not present in the products listed.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 and MRG-2. Future updates for the respective releases may address this issue.
Comment 9 Justin M. Forbes 2017-10-24 17:16:11 UTC 
This was fixed with the 4.13.6 kernel for Fedora
Comment 14 errata-xmlrpc 2018-01-25 11:27:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0151 https://access.redhat.com/errata/RHSA-2018:0151
Comment 15 errata-xmlrpc 2018-01-25 11:30:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0152 https://access.redhat.com/errata/RHSA-2018:0152
Comment 16 errata-xmlrpc 2018-01-25 11:32:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2018:0181 https://access.redhat.com/errata/RHSA-2018:0181