|Summary:||CVE-2018-16871 kernel: nfs: NULL pointer dereference due to an anomalized NFS message sequence|
|Product:||[Other] Security Response||Reporter:||Laura Pardo <lpardo>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||abhgupta, acaringi, agk, airlied, bhu, blc, brdeoliv, bskeggs, dbaker, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jkacur, john.j5live, jokerman, jonathan, josef, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, lpardo, matt, mchehab, mcressma, mjg59, mlangsdo, mmilgram, nmurray, plougher, redhat-bugzilla, rt-maint, rvrbovsk, security-response-team, steved, sthangav, trankin, williams, wmealing|
|Fixed In Version:||Doc Type:||If docs needed, set a value|
A flaw was found in the Linux kernel's NFS implementation. An attacker, who is able to mount an exported NFS filesystem, is able to trigger a null pointer dereference by using an invalid NFS sequence. This can panic the machine and deny access to the NFS server. Any outstanding disk writes to the NFS server will be lost.
|Last Closed:||2019-07-29 19:18:20 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1645353, 1656285, 1656286, 1656287, 1656288, 1672147, 1672148, 1672149, 1672150, 1672151, 1716249, 1732409, 1735922, 1735923, 1739303|
Description Laura Pardo 2018-11-30 19:58:15 UTC
A flaw was found in NFS in the Linux Kernel. An attacker who is able to mount an exported NFS filesystem is able to trigger a null pointer dereference by an invalid NFS sequence. This can panic the machine and deny access to the NFS server. Any outstanding disk writes to the NFS server will be lost. Upstream fix: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=01310bb7c9c98752cc763b36532fab028e0f8f81
Comment 8 Steve Dickson 2018-12-08 20:03:31 UTC
It appears rhel7 needs this upstream commit commit 01310bb7c9c98752cc763b36532fab028e0f8f81 Author: Scott Mayhew <firstname.lastname@example.org> Date: Thu Nov 8 11:11:36 2018 -0500 nfsd: COPY and CLONE operations require the saved filehandle to be set Make sure we have a saved filehandle, otherwise we'll oops with a null pointer dereference in nfs4_preprocess_stateid_op(). Signed-off-by: Scott Mayhew <email@example.com> Cc: firstname.lastname@example.org Signed-off-by: J. Bruce Fields <email@example.com> Since it was our guy that found and fixed I wonder if the is a bz in he pipline.
Comment 9 Steve Dickson 2018-12-08 20:21:54 UTC
(In reply to Steve Dickson from comment #8) > It appears rhel7 needs this upstream commit > Confirmed... The patch stops the oops and returns the error... I looked it does not appear there is another bz opened on this problem.... Please advise on how to move forward on this...
Comment 14 Laura Pardo 2018-12-17 15:03:18 UTC
Acknowledgments: Name: Jasu Liedes (Synopsys SIG), Hangbin Liu (Red Hat)
Comment 16 Wade Mealing 2019-02-04 04:31:41 UTC
After review this got bumped to "Moderate" and now qualifies for Z stream. Its kinda nasty and would STILL recommend fixing this.
Comment 22 Wade Mealing 2019-06-03 02:24:24 UTC
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1716249]
Comment 23 Justin M. Forbes 2019-06-03 14:15:08 UTC
This was fixed for Fedora with the 4.20 stable rebases.
Comment 24 errata-xmlrpc 2019-07-29 15:14:25 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1873 https://access.redhat.com/errata/RHSA-2019:1873
Comment 25 errata-xmlrpc 2019-07-29 15:15:15 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1891 https://access.redhat.com/errata/RHSA-2019:1891
Comment 26 Product Security DevOps Team 2019-07-29 19:18:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-16871
Comment 33 errata-xmlrpc 2019-09-10 13:46:05 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Extended Update Support Via RHSA-2019:2696 https://access.redhat.com/errata/RHSA-2019:2696
Comment 34 errata-xmlrpc 2019-09-11 09:09:16 UTC
This issue has been addressed in the following products: Red Hat Enterprise MRG 2 Via RHSA-2019:2730 https://access.redhat.com/errata/RHSA-2019:2730
Comment 38 errata-xmlrpc 2020-03-09 14:31:34 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0740 https://access.redhat.com/errata/RHSA-2020:0740
Comment 40 errata-xmlrpc 2020-04-28 15:24:47 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1567 https://access.redhat.com/errata/RHSA-2020:1567