Bug 1479304 (CVE-2017-1000111) - CVE-2017-1000111 kernel: Heap out-of-bounds read in AF_PACKET sockets
Summary: CVE-2017-1000111 kernel: Heap out-of-bounds read in AF_PACKET sockets
Status: CLOSED ERRATA
Alias: CVE-2017-1000111
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20170810,repor...
Keywords: Security
Depends On: 1480464 1481926 1481927 1481937 1481938 1481939 1481940 1481941 1481942 1481943
Blocks: 1479308
TreeView+ depends on / blocked
 
Reported: 2017-08-08 10:45 UTC by Andrej Nemec
Modified: 2019-06-11 11:13 UTC (History)
38 users (show)

(edit)
A race condition issue was found in the way the raw packet socket implementation in the Linux kernel networking subsystem handled synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this to waste resources in the kernel's ring buffer or possibly cause an out-of-bounds read on the heap leading to a system crash.
Clone Of:
(edit)
Last Closed: 2019-06-08 03:20:08 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:3163 normal SHIPPED_LIVE new packages: kernel-alt 2017-11-09 14:59:25 UTC
Red Hat Product Errata RHSA-2017:2918 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2017-10-19 17:24:24 UTC
Red Hat Product Errata RHSA-2017:2930 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-10-19 18:47:35 UTC
Red Hat Product Errata RHSA-2017:2931 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2017-10-19 18:48:35 UTC
Red Hat Product Errata RHSA-2017:3200 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-11-15 01:34:41 UTC

Description Andrej Nemec 2017-08-08 10:45:41 UTC
A race condition issue was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this to waste resources in the kernels ring buffer or possibly cause a read-out-of-bounds on the heap possibly panicking the machine.

In a default or common use of Red Hat Enterprise Linux 6 and 7 this issue does not allow an unprivileged local user to use this functionality.

In order to exploit this issue the attacker needs CAP_NET_RAW capability, which needs to be granted by the administrator to the attacker's account. Since Red Hat Enterprise Linux does not have unprivileged user namespaces enabled by default, local unprivileged users also cannot abuse namespaces to grant this capability.

Upstream patch:
http://patchwork.ozlabs.org/patch/800274/

Comment 1 Andrej Nemec 2017-08-08 10:45:51 UTC
Acknowledgments:

Name: Willem de Bruijn

Comment 5 Adam Mariš 2017-08-11 08:07:19 UTC
Public via:

http://seclists.org/oss-sec/2017/q3/279

Comment 6 Adam Mariš 2017-08-11 08:08:35 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1480464]

Comment 9 errata-xmlrpc 2017-10-19 13:26:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2017:2918 https://access.redhat.com/errata/RHSA-2017:2918

Comment 10 errata-xmlrpc 2017-10-19 15:06:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2930 https://access.redhat.com/errata/RHSA-2017:2930

Comment 11 errata-xmlrpc 2017-10-19 15:10:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2931 https://access.redhat.com/errata/RHSA-2017:2931

Comment 14 errata-xmlrpc 2017-11-14 20:38:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:3200 https://access.redhat.com/errata/RHSA-2017:3200

Comment 15 Eric Christensen 2018-09-13 14:00:57 UTC
Statement:

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7, and MRG-2.

Future Linux kernel updates for the respective releases may address this issue.


Note You need to log in before you can comment on or make changes to this bug.