Bug 1354525 (CVE-2016-6327) - CVE-2016-6327 kernel: infiniband: Kernel crash by sending ABORT_TASK command
Summary: CVE-2016-6327 kernel: infiniband: Kernel crash by sending ABORT_TASK command
Status: NEW
Alias: CVE-2016-6327
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160819,repor...
Keywords: Security
Depends On: 1342604 1368307 1368308 1368309 1368310 1368311
Blocks: 1354527
TreeView+ depends on / blocked
 
Reported: 2016-07-11 13:40 UTC by Adam Mariš
Modified: 2019-02-08 14:56 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
System using the infiniband support module ib_srpt were vulnerable to a denial of service by system crash by a local attacker who is able to abort writes to a device using this initiator.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2574 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2016-11-03 12:06:10 UTC
Red Hat Product Errata RHSA-2016:2584 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2016-11-03 12:08:49 UTC

Description Adam Mariš 2016-07-11 13:40:33 UTC
System using the infiniband support module ib_srpt were vulnerable to a denial of service by system crash by a local attacker who is able to abort writes to a device using this initiator.

There were multiple areas in which aborting a scsi command are able to be handled, moving this to the correct location in the state machine ensured that this condition was never triggered through this code path.\

The null pointer situation was enabled via a non attacker controlled memset, and this is not a use after free.

Product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1342604

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=51093254bf87

http://seclists.org/oss-sec/2016/q3/334

Comment 4 Wade Mealing 2016-08-19 04:06:39 UTC
Statement:

This issue affects Red Hat Enterprise Linux 7 and MRG-2 kernels and will be addressed in a future update.  This issue does not affect Red Hat Enterprise Linux 5 and 6 systems.

Comment 7 errata-xmlrpc 2016-11-03 17:06:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html

Comment 8 errata-xmlrpc 2016-11-03 19:54:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html

Comment 9 errata-xmlrpc 2016-11-03 21:36:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html

Comment 10 errata-xmlrpc 2016-11-03 21:44:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html


Note You need to log in before you can comment on or make changes to this bug.