Bug 1660375 (CVE-2018-16884)

Summary: CVE-2018-16884 kernel: nfs: use-after-free in svc_process_common()
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, bfields, dbaker, jokerman, mmilgram, slawomir, sthangav, trankin, yoyang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-29 19:18:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1653675, 1660818, 1660819, 1660820, 1660821, 1660822, 1660823, 1660824, 1660825, 1738868, 1738869, 1739304    
Bug Blocks: 1660379    

Description Andrej Nemec 2018-12-18 08:54:58 UTC
A flaw was found in the Linux kernel in the NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.

References:

https://seclists.org/oss-sec/2018/q4/267

A proposed patchset:

https://patchwork.kernel.org/cover/10733767/

https://patchwork.kernel.org/patch/10733769/

Comment 3 Vladis Dronov 2018-12-18 22:16:37 UTC
Acknowledgements:

Name: Vasily Averin (Virtuozzo), Evgenii Shatokhin (Virtuozzo)

Comment 4 Vladis Dronov 2018-12-19 10:11:26 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1660825]

Comment 6 errata-xmlrpc 2019-07-29 15:14:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1873 https://access.redhat.com/errata/RHSA-2019:1873

Comment 7 errata-xmlrpc 2019-07-29 15:15:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1891 https://access.redhat.com/errata/RHSA-2019:1891

Comment 8 Product Security DevOps Team 2019-07-29 19:18:24 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-16884

Comment 15 errata-xmlrpc 2019-09-10 13:46:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:2696 https://access.redhat.com/errata/RHSA-2019:2696

Comment 16 errata-xmlrpc 2019-09-11 09:09:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2019:2730 https://access.redhat.com/errata/RHSA-2019:2730

Comment 19 errata-xmlrpc 2019-11-05 20:34:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3309 https://access.redhat.com/errata/RHSA-2019:3309

Comment 20 errata-xmlrpc 2019-11-05 21:05:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3517 https://access.redhat.com/errata/RHSA-2019:3517

Comment 23 errata-xmlrpc 2020-01-22 21:24:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0204 https://access.redhat.com/errata/RHSA-2020:0204

Comment 25 errata-xmlrpc 2020-07-07 13:18:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2854 https://access.redhat.com/errata/RHSA-2020:2854