Bug 1655162 (CVE-2018-16871)

Summary: CVE-2018-16871 kernel: nfs: NULL pointer dereference due to an anomalized NFS message sequence
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, acaringi, agk, airlied, bhu, blc, brdeoliv, bskeggs, dbaker, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jkacur, john.j5live, jokerman, jonathan, josef, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, lpardo, matt, mchehab, mcressma, mjg59, mlangsdo, mmilgram, nmurray, plougher, redhat-bugzilla, rt-maint, rvrbovsk, security-response-team, steved, sthangav, trankin, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's NFS implementation. An attacker, who is able to mount an exported NFS filesystem, is able to trigger a null pointer dereference by using an invalid NFS sequence. This can panic the machine and deny access to the NFS server. Any outstanding disk writes to the NFS server will be lost.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-29 19:18:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1645353, 1656285, 1656286, 1656287, 1656288, 1672147, 1672148, 1672149, 1672150, 1672151, 1716249, 1732409, 1735922, 1735923, 1739303    
Bug Blocks: 1652217    

Description Laura Pardo 2018-11-30 19:58:15 UTC 
A flaw was found in NFS in the Linux Kernel. An attacker who is able to mount an exported NFS filesystem  is able to trigger a null pointer dereference by an invalid NFS sequence.

This can panic the machine and deny access to the NFS server. Any outstanding disk writes to the NFS server will be lost.

Upstream fix:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=01310bb7c9c98752cc763b36532fab028e0f8f81
Comment 8 Steve Dickson 2018-12-08 20:03:31 UTC 
It appears rhel7 needs this upstream commit

commit 01310bb7c9c98752cc763b36532fab028e0f8f81
Author: Scott Mayhew <smayhew>
Date:   Thu Nov 8 11:11:36 2018 -0500

    nfsd: COPY and CLONE operations require the saved filehandle to be set
    
    Make sure we have a saved filehandle, otherwise we'll oops with a null
    pointer dereference in nfs4_preprocess_stateid_op().
    
    Signed-off-by: Scott Mayhew <smayhew>
    Cc: stable.org
    Signed-off-by: J. Bruce Fields <bfields>

Since it was our guy that found and fixed I wonder if the
is a bz in he pipline.
Comment 9 Steve Dickson 2018-12-08 20:21:54 UTC 
(In reply to Steve Dickson from comment #8)
> It appears rhel7 needs this upstream commit
> 

Confirmed... The patch stops the oops and returns the error...

I looked it does not appear there is another bz opened 
on this problem.... 

Please advise on how to move forward on this...
Comment 14 Laura Pardo 2018-12-17 15:03:18 UTC 
Acknowledgments:

Name: Jasu Liedes (Synopsys SIG), Hangbin Liu (Red Hat)
Comment 16 Wade Mealing 2019-02-04 04:31:41 UTC 
After review this got bumped to "Moderate" and now qualifies for Z stream. Its kinda nasty and would STILL recommend fixing this.
Comment 22 Wade Mealing 2019-06-03 02:24:24 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1716249]
Comment 23 Justin M. Forbes 2019-06-03 14:15:08 UTC 
This was fixed for Fedora with the 4.20 stable rebases.
Comment 24 errata-xmlrpc 2019-07-29 15:14:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1873 https://access.redhat.com/errata/RHSA-2019:1873
Comment 25 errata-xmlrpc 2019-07-29 15:15:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1891 https://access.redhat.com/errata/RHSA-2019:1891
Comment 26 Product Security DevOps Team 2019-07-29 19:18:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-16871
Comment 33 errata-xmlrpc 2019-09-10 13:46:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:2696 https://access.redhat.com/errata/RHSA-2019:2696
Comment 34 errata-xmlrpc 2019-09-11 09:09:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2019:2730 https://access.redhat.com/errata/RHSA-2019:2730
Comment 38 errata-xmlrpc 2020-03-09 14:31:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0740 https://access.redhat.com/errata/RHSA-2020:0740
Comment 40 errata-xmlrpc 2020-04-28 15:24:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1567 https://access.redhat.com/errata/RHSA-2020:1567
Comment 41 errata-xmlrpc 2020-04-28 15:51:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1769 https://access.redhat.com/errata/RHSA-2020:1769