A buffer overflow vulnerability due to a lack of input filtering of incoming fragmented datagrams was found in the IP-over-1394 driver [firewire-net] in fragment handling code in the Linux kernel. The vulnerability exists since firewire supported IPv4, i.e. since version 2.6.31 (year 2009) till version v4.9-rc4. A maliciously formed fragment with a respectively large datagram_offset would cause a memcpy past the datagram buffer, which would cause a system panic or possible arbitrary code execution. The flaw requires [firewire-net] module to be loaded and is remotely exploitable from connected firewire devices, but not over a local network. In general, IP packets enclosed in the firewire frames are completely in spec. In situations when firewire and ipv4 networking is used, the systems are frequently a part of clustering sofware. They would be daisy chained from a single machine with a network connection: GATEWAY <-> HOST1 <-> HOST2 <-> HOST3 <-> HOSTN. So, the gateway could be connected to the internet, and this is how fragmented packets could get to the system. So, while arbitrary code execution is possible, the hardware configuration required for this is special and rare. Proposed patch: https://git.kernel.org/cgit/linux/kernel/git/ieee1394/linux1394.git/commit/?h=testing&id=ff89027279ec57d69797cbae7c681672f1dbea71 An upstream patch and merge: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=667121ace9db https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=03daa36f089f Public message: http://seclists.org/oss-sec/2016/q4/347 A research on the flaw: https://eyalitkin.wordpress.com/2016/11/06/cve-publication-cve-2016-8633/
Acknowledgments: Name: Eyal Itkin
Upstream patch: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=667121ace9db Public via: http://seclists.org/oss-sec/2016/q4/347
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1392294]
Statement: This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG 2.x. This issue has been rated as having Moderate security impact. Future Linux kernel updates for the respective releases might address this issue.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:0676 https://access.redhat.com/errata/RHSA-2018:0676
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:1062 https://access.redhat.com/errata/RHSA-2018:1062
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Extended Update Support Via RHSA-2019:1170 https://access.redhat.com/errata/RHSA-2019:1170
This issue has been addressed in the following products: Red Hat Enterprise MRG 2 Via RHSA-2019:1190 https://access.redhat.com/errata/RHSA-2019:1190