Bug 1629636 (CVE-2018-14641)
Summary: | CVE-2018-14641 kernel: a bug in ip_frag_reasm() can cause a crash in ip_do_fragment() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vladis Dronov <vdronov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | abhgupta, airlied, aquini, bhu, blc, bskeggs, dbaker, dhoward, ewk, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jglisse, jkacur, john.j5live, jokerman, jonathan, josef, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, rt-maint, rvrbovsk, security-response-team, skozina, steved, sthangav, trankin, williams |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | kernel 4.19-rc4 | Doc Type: | If docs needed, set a value |
Doc Text: |
A security flaw was found in the ip_frag_reasm() function in net/ipv4/ip_fragment.c in the Linux kernel which can cause a later system crash in ip_do_fragment(). With certain non-default, but non-rare, configuration of a victim host, an attacker can trigger this crash remotely, thus leading to a remote denial of service.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:37:53 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1616059, 1629657, 1629658, 1630276, 1630279 | ||
Bug Blocks: | 1629630 |
Description
Vladis Dronov
2018-09-17 08:40:17 UTC
Note: The fix is the upstream commit 5d407b071dc3 ("ip: frags: fix crash in ip_do_fragment()") and it is fixing fa0f527358bd ("ip: use rb trees for IP frag queue."). Namely, the following part of fa0f527358bd which unions sk and ip_defrag_offset fields of struct sk_buff has introduced the vulnerability: +++ b/include/linux/skbuff.h @@ -676,13 +676,16 @@ struct sk_buff { + + union { + struct sock *sk; + int ip_defrag_offset; + }; Only Red Hat Enterprise Linux 7 for ARM 64 and Red Hat Enterprise Linux 7 for Power 9 LE (the RHEL-ALT product) has backported this part of fa0f527358bd and so is vulnerable to this flaw. Future Linux kernel updates for this product may address this issue. Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1630279] This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:2948 |