Bug 1263139 - (CVE-2015-6937) CVE-2015-6937 kernel: net: rds: NULL pointer dereference in net/rds/connection.c
CVE-2015-6937 kernel: net: rds: NULL pointer dereference in net/rds/connection.c
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150914,repor...
: Security
Depends On: 1263140
Blocks: 1276439
  Show dependency treegraph
 
Reported: 2015-09-15 04:12 EDT by Martin Prpič
Modified: 2016-11-08 11:20 EST (History)
36 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A NULL-pointer dereference vulnerability was discovered in the Linux kernel. The kernel's Reliable Datagram Sockets (RDS) protocol implementation did not verify that an underlying transport existed before creating a connection to a remote server. A local system user could exploit this flaw to crash the system by creating sockets at specific times to trigger a NULL pointer dereference.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-11 21:24:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Prpič 2015-09-15 04:12:46 EDT
It was found that the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation did not verify that an underlying transport exists when creating a connection to a remote server.

This could happen on sockets that were not properly bound before attempting to send a message.

A local attacker could use this flaw to crash the system by creating sockets at specific times to trigger a NULL pointer dereference on the system.

Upstream patch:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=74e98eb085889b0d2d4908f59f6e00026063014f

CVE assignment:

http://seclists.org/oss-sec/2015/q3/545
Comment 1 Martin Prpič 2015-09-15 04:14:23 EDT
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1263140]
Comment 2 Fedora Update System 2015-09-24 01:07:26 EDT
kernel-4.2.1-300.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2015-10-03 17:14:56 EDT
kernel-4.1.8-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2015-10-03 17:51:23 EDT
kernel-4.1.8-100.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Adam Mariš 2015-10-29 13:19:24 EDT
The patch is incomplete, complete fix can be found here:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7990

MITRE assigned new CVE for the vulnerability that remains present after the original incomplete patch:

http://seclists.org/oss-sec/2015/q4/179
Comment 6 Wade Mealing 2016-01-31 23:17:20 EST
Statement:

This issue did not affect kernel, kernel-rt, and realtime-kernel versions shipped with Red Hat Enterprise Linux 7 and Red Hat Enterprise MRG as they do not include the Reliable Datagram Sockets (RDS) protocol implementation.

Note You need to log in before you can comment on or make changes to this bug.