Bug 1425406 - kernel: dccp: invalid handling of DCCP_PKT_REQUEST
Summary: kernel: dccp: invalid handling of DCCP_PKT_REQUEST
Keywords:
Status: CLOSED DUPLICATE of bug 1423071
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1423069
TreeView+ depends on / blocked
 
Reported: 2017-02-21 11:29 UTC by Petr Matousek
Modified: 2021-02-17 02:34 UTC (History)
3 users (show)

Fixed In Version:
Clone Of: CVE-2017-6074
Environment:
Last Closed: 2017-02-22 14:20:01 UTC
Embargoed:

Attachments (Terms of Use)

Description Petr Matousek 2017-02-21 11:29:19 UTC 
The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to cause a denial of service (invalid free) or possibly have unspecified other impact via an application that makes an IPV6_RECVPKTINFO setsockopt system call.

Upstream fix:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4
Comment 1 Petr Matousek 2017-02-21 11:29:56 UTC 
Mitigation:

As the DCCP module will be auto loaded when required, its use can be disabled 
by preventing the module from loading with the following instructions.

 # echo "install dccp /bin/true" >> /etc/modprobe.d/disable-dccp.conf 
 
The system will need to be restarted if the dccp modules are loaded.  In most circumstances the dccp kernel modules will be unable to be unloaded while any network interfaces are active and the protocol is in use.

Recent versions of Selinux policy can mitigate this exploit. The steps above will work with SElinux enabled or disabled.
Comment 2 Petr Matousek 2017-02-22 14:20:01 UTC 

*** This bug has been marked as a duplicate of bug 1423071 ***
Note You need to log in before you can comment on or make changes to this bug.