Bug 1825116 (CVE-2020-10711)

Summary: CVE-2020-10711 Kernel: NetLabel: null pointer dereference while receiving CIPSO packet with null category may cause kernel panic
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, airlied, asavkov, bhu, blc, bmasney, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jiji, jlelli, joe.lawrence, john.j5live, jonathan, josef, jpoimboe, jross, jshortt, jstancek, jthierry, jwboyer, kcarcia, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, omosnace, pabeni, pmatouse, ptalbert, qzhao, rhandlin, rt-maint, rvrbovsk, security-response-team, shgao, steved, williams, ycote, yoguma
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel-5.7 Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem. This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. While processing the CIPSO restricted bitmap tag in the 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate that the category bitmap is present, even if it has not been allocated. This issue leads to a NULL pointer dereference issue while importing the same category bitmap into SELinux. This flaw allows a remote network user to crash the system kernel, resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-12 16:32:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1827226, 1827227, 1827228, 1827229, 1827230, 1827231, 1827233, 1827234, 1827235, 1827236, 1827237, 1827238, 1827239, 1827240, 1827241, 1827242, 1827243, 1827244, 1827245, 1827246, 1827247, 1827248, 1827249, 1827250, 1827251, 1827328, 1827329, 1827330, 1827331, 1827332, 1828336, 1828337, 1834778    
Bug Blocks: 1824404    

Description Marian Rehak 2020-04-17 06:32:45 UTC 
A NULL pointer dereference issue was found in the Linux kernel's SELinux subsystem. It occurs while importing  the Commercial IP Security Option (CIPSO) protocol's category bitmap into SELinux's extensible bitmap via 'ebitmap_netlbl_import' routine. While parsing the CIPSO restricted bitmap tag in 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate that category bitmap is present, even if it has not been allocated. This leads to the said NULL pointer dereference issue while importing the same category bitmap into SELinux. A remote network user could use this flaw to crash the system kernel resulting in DoS scenario.

This issue was introduced by upstream commit:
  -> https://git.kernel.org/linus/4b8feff251da3d7058b5779e21b33a85c686b974
     netlabel: fix the horribly broken catmap functions


Upstream patch:
---------------
  -> https://lore.kernel.org/netdev/07d99ae197bfdb2964931201db67b6cd0b38db5b.1589276729.git.pabeni@redhat.com/T/#u

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2020/05/12/2
Comment 3 Prasad Pandit 2020-04-23 12:48:57 UTC 
Acknowledgments:

Name: Matthew Sheets (gd-ms.com)
Comment 11 Prasad Pandit 2020-05-07 19:31:11 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

This issue can only be resolved by applying updates.
Comment 12 Prasad Pandit 2020-05-12 12:08:00 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1834778]
Comment 13 errata-xmlrpc 2020-05-12 15:12:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2104 https://access.redhat.com/errata/RHSA-2020:2104
Comment 14 errata-xmlrpc 2020-05-12 15:27:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2102 https://access.redhat.com/errata/RHSA-2020:2102
Comment 15 errata-xmlrpc 2020-05-12 15:33:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:2103 https://access.redhat.com/errata/RHSA-2020:2103
Comment 16 Product Security DevOps Team 2020-05-12 16:32:26 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10711
Comment 17 errata-xmlrpc 2020-05-12 18:38:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2082 https://access.redhat.com/errata/RHSA-2020:2082
Comment 18 errata-xmlrpc 2020-05-12 18:38:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2085 https://access.redhat.com/errata/RHSA-2020:2085
Comment 20 errata-xmlrpc 2020-05-13 07:43:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2125 https://access.redhat.com/errata/RHSA-2020:2125
Comment 23 errata-xmlrpc 2020-05-14 19:06:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2171 https://access.redhat.com/errata/RHSA-2020:2171
Comment 25 errata-xmlrpc 2020-05-19 12:37:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2199 https://access.redhat.com/errata/RHSA-2020:2199
Comment 26 errata-xmlrpc 2020-05-19 12:38:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2203 https://access.redhat.com/errata/RHSA-2020:2203
Comment 27 errata-xmlrpc 2020-05-19 14:41:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:2214 https://access.redhat.com/errata/RHSA-2020:2214
Comment 28 errata-xmlrpc 2020-05-20 17:35:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2020:2242 https://access.redhat.com/errata/RHSA-2020:2242
Comment 30 errata-xmlrpc 2020-05-26 08:48:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2020:2285 https://access.redhat.com/errata/RHSA-2020:2285
Comment 31 errata-xmlrpc 2020-05-26 09:39:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2020:2277 https://access.redhat.com/errata/RHSA-2020:2277
Comment 32 errata-xmlrpc 2020-05-26 11:17:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:2289 https://access.redhat.com/errata/RHSA-2020:2289
Comment 33 errata-xmlrpc 2020-05-26 11:17:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:2291 https://access.redhat.com/errata/RHSA-2020:2291
Comment 38 errata-xmlrpc 2020-06-09 18:45:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:2429 https://access.redhat.com/errata/RHSA-2020:2429
Comment 39 Petr Matousek 2020-06-10 11:39:48 UTC 
Statement:

This issue affects the versions of the kernel packages as shipped with the Red Hat Enterprise Linux 6 starting with the Red Hat Enterprise Linux 6.7 GA version kernel-2.6.32-573 . Prior Red Hat Enterprise Linux 6 kernel versions are not affected.
Comment 40 errata-xmlrpc 2020-06-11 01:33:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:2519 https://access.redhat.com/errata/RHSA-2020:2519
Comment 41 errata-xmlrpc 2020-06-11 02:10:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:2522 https://access.redhat.com/errata/RHSA-2020:2522