Bug 1083512 (CVE-2014-2706) - CVE-2014-2706 Kernel: net: mac80211: crash dues to AP powersave TX vs. wakeup race
Summary: CVE-2014-2706 Kernel: net: mac80211: crash dues to AP powersave TX vs. wakeup...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-2706
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1083531 1083532 1083533 1083534 1083535 1083536 1083538 1093618
Blocks: 1083460
TreeView+ depends on / blocked
 
Reported: 2014-04-02 11:29 UTC by Prasad J Pandit
Modified: 2019-09-29 13:15 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A race condition flaw was found in the way the Linux kernel's mac80211 subsystem implementation handled synchronization between TX and STA wake-up code paths. A remote attacker could use this flaw to crash the system.
Clone Of:
Environment:
Last Closed: 2014-08-06 17:39:07 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0557 normal SHIPPED_LIVE Important: kernel-rt security update 2014-05-27 20:25:52 UTC
Red Hat Product Errata RHSA-2014:0981 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2014-07-29 19:51:12 UTC
Red Hat Product Errata RHSA-2014:1023 normal SHIPPED_LIVE Important: kernel security and bug fix update 2014-08-06 21:10:29 UTC
Red Hat Product Errata RHSA-2014:1101 normal SHIPPED_LIVE Important: kernel security and bug fix update 2014-08-27 18:01:22 UTC

Description Prasad J Pandit 2014-04-02 11:29:09 UTC
A Linux kernel built with a Generic IEEE 802.11 Networking Stack
(CONFIG_MAC80211) is vulnerable to a crash caused by a race condition in frame
transmission path and station wakeup event, in case when it's sleeping.
The crash occurs because, mac80211 stack buffers frames when the station is
sleeping, and the same are transmitted upon the station's(STA) wakeup. At this
point, a buffered TX frame list is being emptied, while a new frame is being
added to the RX list.

A remote unprivileged user/program could use this flaw to crash the system
kernel, resulting in DoS.

Upstream fix:
-------------
  -> https://git.kernel.org/linus/1d147bfa64293b2723c4fec50922168658e613ba

Reference:
----------
  -> http://seclists.org/oss-sec/2014/q2/7

Comment 1 Prasad J Pandit 2014-04-02 12:08:30 UTC
Statement:

This issue does not affect the version of the kernel package as shipped with
Red Hat Enterprise Linux 5.

Comment 4 Prasad J Pandit 2014-04-02 12:17:28 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1083538]

Comment 6 errata-xmlrpc 2014-05-27 16:27:48 UTC
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2014:0557 https://rhn.redhat.com/errata/RHSA-2014-0557.html

Comment 8 errata-xmlrpc 2014-07-29 15:52:35 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0981 https://rhn.redhat.com/errata/RHSA-2014-0981.html

Comment 9 Martin Prpič 2014-08-05 12:08:59 UTC
IssueDescription:

A race condition flaw was found in the way the Linux kernel's mac80211 subsystem implementation handled synchronization between TX and STA wake-up code paths. A remote attacker could use this flaw to crash the system.

Comment 10 errata-xmlrpc 2014-08-06 17:11:04 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1023 https://rhn.redhat.com/errata/RHSA-2014-1023.html

Comment 11 errata-xmlrpc 2014-08-27 14:01:56 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.4 EUS - Server and Compute Node Only

Via RHSA-2014:1101 https://rhn.redhat.com/errata/RHSA-2014-1101.html


Note You need to log in before you can comment on or make changes to this bug.