Bug 1772527 (CVE-2019-18680)

Summary: CVE-2019-18680 kernel: NULL pointer dereference in rds_tcp_kill_sock() in net/rds/tcp.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: acaringi, airlied, bdettelb, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jschorr, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, qzhao, rt-maint, rvrbovsk, steved, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's implementation of RDS over TCP. A system that has the rds_tcp kernel module that is loaded through an autoload via a local process running listen(), or manual loading, could possibly cause a kernel panic.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-17 14:09:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1772528    
Bug Blocks: 1772529    

Description Guilherme de Almeida Suckevicz 2019-11-14 14:53:06 UTC 
A flaw was found in the linux kernels implementation of RDS over TCP.  A system that has the rds_tcp kernel module loaded (either through autoload via local process running listen(), or manual loading) could possibly cause a kernel panic.


Reference and upstream commit:

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=91573ae4aed0a49660abdad4d42f2a0db995ee5e
Comment 1 Guilherme de Almeida Suckevicz 2019-11-14 14:53:27 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1772528]
Comment 2 Justin M. Forbes 2019-11-14 17:05:29 UTC 
This does not impact any currently supported Fedora kernel.
Comment 4 Wade Mealing 2020-02-17 12:42:54 UTC 
Mitigation:

While this is a network protocol being affected, the protocol is not available by default.  A local process (or user) can trigger the protocol to be used which will then be loaded automatically would then have the vulnerable code loaded and the attack vector opened.  To reiterate it is unlikely that most Linux systems will be using this protocol and therefore affected.

Most systems do _NOT_ have this protocol used by services.   This is an infrequently used module and if you wish to blacklist it, you can follow the steps outlined in https://access.redhat.com/solutions/41278 to blacklist the "rds_tcp" module for the relevant version of Red Hat Enterprise Linux.
Comment 6 Wade Mealing 2020-02-17 12:59:46 UTC 
Rating this as a low, as it's not in use by default, there are not many services even use RDS over TCP and it crashes the system, no privilege escalation the initial investigation.  

If this affects your system in another way, please feel free to lodge a support case, it is not compiled/enabled for rhel 7 and 8 based kernels.
Comment 7 Product Security DevOps Team 2020-02-17 14:09:56 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-18680