Bug 1743520 (CVE-2017-18509)

Summary: CVE-2017-18509 kernel: not checking sk_type and protocol in net/ipv6/ip6mr.c leads to general protection fault, or arbitrary code execution
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, rt-maint, rvrbovsk, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel’s net/ipv6/ip6mr.c function where setting a specific socket option can cause an inet_csk_listen_stop general protection fault. An attacker with CAP_NET_ADMIN style privileges inside a container, can crash the system or execute arbitrary code when issuing a specially crafted call to configure ipv6 multicast routing.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-21 02:47:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1743914, 1743915    
Bug Blocks: 1743521    

Description Marian Rehak 2019-08-20 07:37:32 UTC 
By setting a specific socket option, an attacker can control a pointer in kernel land and cause an inet_csk_listen_stop general protection fault, or potentially execute arbitrary code under certain circumstances. This affects Linux distributions that use 4.9.x longterm kernels before 4.9.187.

External References:

https://pulsesecurity.co.nz/advisories/linux-kernel-4.9-inetcsklistenstop-gpf

Upstream Patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=99253eb750fda6a644d5188fb26c43bad8d5a745
Comment 4 Wade Mealing 2019-08-21 01:18:30 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1743914]
Comment 5 Wade Mealing 2019-08-21 01:18:33 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1743915]
Comment 7 Wade Mealing 2019-08-21 02:03:03 UTC 
Statement: 

At this time none of the Red Hat Enterprse Linux shipping releases are vulnerable to the described flaw.
Comment 8 Product Security DevOps Team 2019-08-21 02:47:09 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-18509
Comment 9 Justin M. Forbes 2019-08-21 12:25:38 UTC 
This was fixed in the 4.11 kernel, no currently supported Fedora release was ever vulnerable.