Bug 2014970 (CVE-2021-3894)

Summary: CVE-2021-3894 kernel: sctp: local DoS: unprivileged user can cause BUG()
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, brdeoliv, bskeggs, carnil, chwhite, crwood, dhoward, dvlasenk, eshatokhin, fhrbata, fpacheco, hdegoede, hkrzesin, jarod, jarodwilson, jburrell, jeremy, jfaracco, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lzampier, masami256, mchehab, nmurray, ptalbert, qzhao, rkeshri, rvrbovsk, scweaver, security-response-team, steve.beattie, steved, vkumar, walters, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Linux kernel. This flaw allows an unprivileged local user to panic the system, resulting in a denial of service by calling setsockopt(2) with specially crafted arguments. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-02 14:20:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2016890, 2016891, 2020393, 2050038    
Bug Blocks: 2014939    

Description Dhananjay Arunesh 2021-10-18 06:56:06 UTC 
A vulnerability was found in the Linux kernel where an unprivileged local lser can panic the system and create a denial of service by calling setsockopt(2) with specially crafted arguements.
Comment 9 Wade Mealing 2022-02-03 04:38:36 UTC 
This flaw was fixed in kernel-4.18.0-356.el8 and newer by commit 23a1bbe06fb43.
Comment 10 Wade Mealing 2022-02-03 05:07:46 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2050038]
Comment 11 Wade Mealing 2022-02-03 05:22:36 UTC 
Initial checks of fedoras kernels in 35 show that this is already fixed, but i'll let the fedora sec team make that call.
Comment 12 Justin M. Forbes 2022-02-03 23:10:34 UTC 
This was fixed for Fedora with the 5.14.14 stable kernel updates.
Comment 13 Salvatore Bonaccorso 2022-02-04 04:56:55 UTC 
What is the upstream fix for this issue?
Comment 14 Salvatore Bonaccorso 2022-02-04 05:09:42 UTC 
The bug here depends on #2020393 and for kernel-4.18.0-356.el8

- sctp: fix transport encap_port update in sctp_vtag_verify (Xin Long) [2020393]
- sctp: account stream padding length for reconf chunk (Xin Long) [2020393]
- sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb (Xin Long) [2020393]

but unfortunately https://git.centos.org/rpms/kernel/c/23a1bbe06fb43 would not exists. 

Is it then https://git.kernel.org/linus/a2d859e3fc97e79d907761550dbc03ff1b36479c ?
Comment 15 Salvatore Bonaccorso 2022-02-13 15:15:07 UTC 
Additionally to this question, in case the fix is the correct one, are then CVE-2021-3894 and CVE-2022-0322 duplicates?
Comment 16 Wade Mealing 2022-02-22 04:02:14 UTC 
Gday Carnil, they very well might be duplicates.   Your upstream link looks like the correct fix.

 I'm going to set the needinfo on Rohit as I am no longer doing flaw analaysis, sorry for the delay in updates.

Thanks.
Comment 17 Rohit Keshri 2022-03-02 14:19:13 UTC 
Hello Carnil and Wade, Thank you for reporting this to us, you are right CVE-2021-3894 is a duplicate of CVE-2022-0322, and we are going to reject CVE-2021-3894.
Comment 18 Rohit Keshri 2022-03-02 14:21:20 UTC 

*** This bug has been marked as a duplicate of bug 2042822 ***