Bug 1558697 (CVE-2018-8822)

Summary: CVE-2018-8822 kernel: Memory corruption in ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: airlied, ajax, aquini, bhu, blc, bskeggs, dhoward, esammons, ewk, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, lwang, matt, mchehab, mcressma, mguzik, mjg59, mlangsdo, nmurray, plougher, rt-maint, rvrbovsk, skozina, steved, vdronov, williams, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Incorrect buffer length handling was found in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c in the Linux kernel, which could be exploited by malicious NCPFS servers to crash the kernel or possibly execute an arbitrary code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-22 16:30:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1558698    
Bug Blocks: 1558699    

Description Pedro Sampaio 2018-03-20 20:13:23 UTC 
Incorrect buffer length handling was found in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c in the Linux kernel, which could be exploited by malicious NCPFS servers to crash the kernel or possibly execute an arbitrary code.

References:

https://www.mail-archive.com/netdev@vger.kernel.org/msg223373.html

A suggested fix:

https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git/commit/?id=4c41aa24baa4ed338241d05494f2c595c885af8f
Comment 1 Pedro Sampaio 2018-03-20 20:14:34 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1558698]
Comment 2 Justin M. Forbes 2018-03-20 21:21:47 UTC 
NCPFS is not enabled in Fedora any longer it is scheduled for removal from the upstream kernel.
Comment 5 Vladis Dronov 2018-03-22 16:30:23 UTC 
Notes:

See upstream commita 1bb8155080c6 and 5d8515bc2321:

      The networking IPX and the ncpfs filesystem are moved into the staging
      tree, as they are on their way out of the kernel due to lack of use
      anymore.