Bug 1390832 – CVE-2016-8632 kernel: TIPC subsystem: tipc_msg_build() doesn't validate MTU, may cause memory corruption.

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1390832 - (CVE-2016-8632) CVE-2016-8632 kernel: TIPC subsystem: tipc_msg_build() doesn't validate MTU, may cause memory corruption.

Summary:	CVE-2016-8632 kernel: TIPC subsystem: tipc_msg_build() doesn't validate MTU, ...

Status:	NEW

Aliases:	CVE-2016-8632

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20161107,repor...
Keywords:	Security

Depends On:	1392262
Blocks:	1384811
	Show dependency tree / graph

Reported:	2016-11-01 23:52 EDT by Wade Mealing
Modified:	2018-01-24 07:32 EST (History)
CC List:	6 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the TIPC networking subsystem which could allow for memory corruption and possible privilege escalation. The flaw involves a system with an unusually low MTU (60) on networking devices configured as bearers for the TIPC protocol. An attacker could create a packet which will overwrite memory outside of allocated space and allow for privilege escalation.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Wade Mealing 2016-11-01 23:52:10 EDT

A flaw was found in the TIPC networking subsystem which could allow for memory corruption and possible priveledge escalation.  The flaw involves a system with an unusually low MTU (60) on networking devices configured as bearers for the TIPC protocol.  Not all devices support or allow MTU's below 68 octets.

An attacker can create a packet which will overwrite memory outside of allocated space and this can allow for priveledge escalation.

The affected code is not enabled on Red Hat Enterprise Linux 6 and 7.  The affected code was not included in Red Hat Enterprise Linux 5.

Initial patch:
 https://www.mail-archive.com/netdev@vger.kernel.org/msg133205.html

Comment 1 Wade Mealing 2016-11-01 23:55:43 EDT

Acknowledgement:

Red Hat would like to thank Qian Zhang from Qihoo 360 Marvel Team for reporting this issue.

Comment 2 Wade Mealing 2016-11-02 01:56:37 EDT

Statement:

This issue is rated as important.  The affected code is not enabled on Red Hat Enterprise Linux 6 and 7 or MRG-2 kernels.  The commit introducing the comment was not included in Red Hat Enterprise Linux 5.

Comment 4 Wade Mealing 2016-11-06 21:57:08 EST

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1392262]

Comment 5 Andrej Nemec 2016-11-08 08:22:47 EST

References:

http://seclists.org/oss-sec/2016/q4/359

Note You need to log in before you can comment on or make changes to this bug.