Bug 1391490 (CVE-2016-8633) - CVE-2016-8633 kernel: Buffer overflow in firewire driver via crafted incoming packets
Summary: CVE-2016-8633 kernel: Buffer overflow in firewire driver via crafted incoming...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-8633
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1392294 1393791 1393792 1393793 1393794 1393797 1695819
Blocks: 1391492
TreeView+ depends on / blocked
 
Reported: 2016-11-03 12:30 UTC by Adam Mariš
Modified: 2019-09-29 13:59 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A buffer overflow vulnerability due to a lack of input filtering of incoming fragmented datagrams was found in the IP-over-1394 driver [firewire-net] in a fragment handling code in the Linux kernel. The vulnerability exists since firewire supported IPv4, i.e. since version 2.6.31 (year 2009) till version v4.9-rc4. A maliciously formed fragment with a respectively large datagram offset would cause a memcpy() past the datagram buffer, which would cause a system panic or possible arbitrary code execution. The flaw requires [firewire-net] module to be loaded and is remotely exploitable from connected firewire devices, but not over a local network.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:01:48 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0676 None None None 2018-04-10 08:04:11 UTC
Red Hat Product Errata RHSA-2018:1062 None None None 2018-04-10 09:27:48 UTC
Red Hat Product Errata RHSA-2019:1170 None None None 2019-05-14 19:08:11 UTC
Red Hat Product Errata RHSA-2019:1190 None None None 2019-05-14 20:26:30 UTC

Description Adam Mariš 2016-11-03 12:30:35 UTC
A buffer overflow vulnerability due to a lack of input filtering of incoming fragmented datagrams was found in the IP-over-1394 driver [firewire-net] in fragment handling code in the Linux kernel. The vulnerability exists since firewire supported IPv4, i.e. since version 2.6.31 (year 2009) till version v4.9-rc4. A maliciously formed fragment with a respectively large datagram_offset would cause a memcpy past the datagram buffer, which would cause a system panic or possible arbitrary code execution.

The flaw requires [firewire-net] module to be loaded and is remotely exploitable from connected firewire devices, but not over a local network. In general, IP packets enclosed in the firewire frames are completely in spec. In situations when firewire and ipv4 networking is used, the systems are frequently a part of clustering sofware. They would be daisy chained from a single machine with a network connection: GATEWAY <-> HOST1 <-> HOST2 <-> HOST3 <-> HOSTN. So, the gateway could be connected to the internet, and this is how fragmented packets could get to the system. So, while arbitrary code execution is possible, the hardware configuration required for this is special and rare.

Proposed patch:

https://git.kernel.org/cgit/linux/kernel/git/ieee1394/linux1394.git/commit/?h=testing&id=ff89027279ec57d69797cbae7c681672f1dbea71

An upstream patch and merge:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=667121ace9db
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=03daa36f089f

Public message:

http://seclists.org/oss-sec/2016/q4/347

A research on the flaw:

https://eyalitkin.wordpress.com/2016/11/06/cve-publication-cve-2016-8633/

Comment 1 Adam Mariš 2016-11-03 12:30:52 UTC
Acknowledgments:

Name: Eyal Itkin

Comment 3 Adam Mariš 2016-11-07 06:53:00 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1392294]

Comment 9 Vladis Dronov 2016-11-10 11:18:33 UTC
Statement:

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG 2.x. This issue has been rated as having Moderate security impact. Future Linux kernel updates for the respective releases might address this issue.

Comment 11 errata-xmlrpc 2018-04-10 08:03:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0676 https://access.redhat.com/errata/RHSA-2018:0676

Comment 12 errata-xmlrpc 2018-04-10 09:27:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1062 https://access.redhat.com/errata/RHSA-2018:1062

Comment 16 errata-xmlrpc 2019-05-14 19:08:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:1170 https://access.redhat.com/errata/RHSA-2019:1170

Comment 17 errata-xmlrpc 2019-05-14 20:26:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2019:1190 https://access.redhat.com/errata/RHSA-2019:1190


Note You need to log in before you can comment on or make changes to this bug.