Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1083246 - (CVE-2014-2672) CVE-2014-2672 kernel: ath9k: tid->sched race in ath_tx_aggr_sleep()
CVE-2014-2672 kernel: ath9k: tid->sched race in ath_tx_aggr_sleep()
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20140220,repor...
: Security
Depends On: 1083249 1083250 1083251 1083252 1083253 1083254 1083255 1093340
Blocks: 1083261
  Show dependency treegraph
 
Reported: 2014-04-01 14:35 EDT by Petr Matousek
Modified: 2015-07-31 03:17 EDT (History)
31 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that a remote attacker could use a race condition flaw in the ath_tx_aggr_sleep() function to crash the system by creating large network traffic on the system's Atheros 9k wireless network adapter.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-08-06 13:40:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0557 normal SHIPPED_LIVE Important: kernel-rt security update 2014-05-27 16:25:52 EDT
Red Hat Product Errata RHSA-2014:0981 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2014-07-29 15:51:12 EDT
Red Hat Product Errata RHSA-2014:1023 normal SHIPPED_LIVE Important: kernel security and bug fix update 2014-08-06 17:10:29 EDT
Red Hat Product Errata RHSA-2014:1101 normal SHIPPED_LIVE Important: kernel security and bug fix update 2014-08-27 14:01:22 EDT

  None (edit)
Description Petr Matousek 2014-04-01 14:35:16 EDT 
We check tid->sched without a lock taken on ath_tx_aggr_sleep(). That is race condition which can result of doing list_del(&tid->list) twice (second time with poisoned list node) and causing a crash.

Upstream fixes:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=21f8aaee0c62708654988ce092838aa7df4d25d8

References:
http://seclists.org/oss-sec/2014/q1/701
Comment 1 Petr Matousek 2014-04-01 14:36:26 EDT 
Statement:

This issued does not affect Red Hat Enterprise Linux 5 because we do not provide support for Atheros 9k wireless network adapters.
Comment 3 Petr Matousek 2014-04-01 14:38:47 EDT 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1083253]
Comment 6 errata-xmlrpc 2014-05-27 12:27:28 EDT 
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2014:0557 https://rhn.redhat.com/errata/RHSA-2014-0557.html
Comment 7 errata-xmlrpc 2014-07-29 11:51:40 EDT 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0981 https://rhn.redhat.com/errata/RHSA-2014-0981.html
Comment 8 Martin Prpič 2014-08-05 08:08:20 EDT 
IssueDescription:

It was found that a remote attacker could use a race condition flaw in the ath_tx_aggr_sleep() function to crash the system by creating large network traffic on the system's Atheros 9k wireless network adapter.
Comment 9 errata-xmlrpc 2014-08-06 13:10:53 EDT 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1023 https://rhn.redhat.com/errata/RHSA-2014-1023.html
Comment 10 errata-xmlrpc 2014-08-27 10:01:45 EDT 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.4 EUS - Server and Compute Node Only

Via RHSA-2014:1101 https://rhn.redhat.com/errata/RHSA-2014-1101.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.