Red Hat Bugzilla – Bug 1070618
CVE-2014-0100 kernel: net: inet frag code race condition leading to user-after-free
Last modified: 2016-10-04 00:19:13 EDT
Description of the problem:
A very subtle race condition between inet_frag_evictor,
inet_frag_intern and the IPv4/6 frag_queue and expire functions (basically
the users of inet_frag_kill/inet_frag_put) was found.
What happens is that after a fragment has been added to the hash chain but
before it's been added to the lru_list (inet_frag_lru_add), it may get
deleted (either by an expired timer if the system load is high or the
timer sufficiently low, or by the fraq_queue function for different
reasons) before it's added to the lru_list, then after it gets added
it's a matter of time for the evictor to get to a piece of memory which
has been freed leading to a number of different bugs depending on what's
This issue was discovered by Nikolay Aleksandrov of Red Hat.
This issue did not affect the versions of Linux kernel package as shipped with Red Hat Enterprise Linux 5 and 6 as they did not backport the commit that introduced this issue.
Upstream patch submission:
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1072026]
kernel-3.13.5-202.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
kernel-3.13.5-103.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products:
MRG for RHEL-6 v.2
Via RHSA-2014:0557 https://rhn.redhat.com/errata/RHSA-2014-0557.html