Bug 1679764

Summary: kernel: netfilter: out-of-bounds read and write in SNMP NAT module
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: airlied, bhu, bskeggs, hdegoede, hkrzesin, hwkernel-mgr, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, john.j5live, jonathan, josef, jwboyer, kernel-maint, kernel-mgr, labbott, linville, mchehab, mjg59, security-response-team, steved, vdronov, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-01 14:57:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1683444    
Bug Blocks: 1679765    

Description Laura Pardo 2019-02-21 19:48:49 UTC
In Linux Kernel 4.16 the netfilter snmp nat component was rewritten to use the asn1 parser generator. Unfortunately, the grammar defines two callbacks that do NOT check if enough data is provided. This results in an out-of-bounds write into "skb shinfo" area which can lead to privilege escalation.  This might be remotely exploitable if the host is configured for snmp nat.


Introduced in:
https://github.com/torvalds/linux/commit/cc2d58634e0f489d28b5564c05abc69930b4d920

Upstream Patch:
https://github.com/torvalds/linux/commit/c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc

Comment 2 Laura Pardo 2019-02-26 21:04:16 UTC
Public through:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1776

Comment 3 Laura Pardo 2019-02-26 21:04:33 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1683444]

Comment 4 Justin M. Forbes 2019-02-26 23:04:46 UTC
Fedora started tracking this in bodhi in 1679972.

Comment 5 Vladislav Dronov 2019-03-01 14:57:45 UTC

*** This bug has been marked as a duplicate of bug 1683191 ***