Bug 1466329 - (CVE-2017-8797) CVE-2017-8797 kernel: NFSv4 server does not properly validate layout type when processing NFSv4 pNFS LAYOUTGET operand
CVE-2017-8797 kernel: NFSv4 server does not properly validate layout type whe...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20170627,repo...
: Security
Depends On: 1464919 1466330 1466899 1466902 1466904 1466905 1460365 1466901 1466903
Blocks: 1466331
  Show dependency treegraph
 
Reported: 2017-06-29 08:48 EDT by Adam Mariš
Modified: 2017-09-06 16:43 EDT (History)
36 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2017-06-29 08:48:58 EDT
The NFSv4 server in the Linux kernel does not properly validate layout type when processing NFSv4 pNFS LAYOUTGET operand. The provided input value is not properly validated and is used for array dereferencing. OOPS is triggered which leads to DoS of knfsd and eventually to soft-lockup of whole system. In addition, on normal processing path there is a C undefined behavior weakness that can lead to out of bounds array dereferencing.

The attack vector requires that the attack host is within host mask of exported NFSv4 mount or source address spoofing is not properly mitigated in the network. The attack payload fits to single one-way UDP packet. The kernel must be compiled with CONFIG_NFSD_PNFS enabled.

References:

http://seclists.org/oss-sec/2017/q2/615

Upstream fixes:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b550a32e60a4941994b437a8d662432a486235a5

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f961e3f2acae94b727380c0b74e2d3954d0edf79
Comment 1 Adam Mariš 2017-06-29 08:49:41 EDT
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1466330]
Comment 6 Vladis Dronov 2017-06-30 13:51:13 EDT
Statement:

This issue does not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5, 6 as the code with the flaw is not present in the products listed.

This issue affects the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 7 and Red Hat Enterprise MRG 2. Future kernel updates for these products may address this issue.
Comment 7 errata-xmlrpc 2017-08-01 15:17:38 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2077 https://access.redhat.com/errata/RHSA-2017:2077
Comment 8 errata-xmlrpc 2017-08-01 20:27:18 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2077 https://access.redhat.com/errata/RHSA-2017:2077
Comment 9 errata-xmlrpc 2017-08-02 03:57:54 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1842 https://access.redhat.com/errata/RHSA-2017:1842
Comment 10 errata-xmlrpc 2017-08-08 12:21:25 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Extended Update Support

Via RHSA-2017:2437 https://access.redhat.com/errata/RHSA-2017:2437
Comment 11 errata-xmlrpc 2017-09-06 16:43:02 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2017:2669 https://access.redhat.com/errata/RHSA-2017:2669

Note You need to log in before you can comment on or make changes to this bug.