Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1504574 - (CVE-2017-15649) CVE-2017-15649 kernel: Use-after-free in the af_packet.c
CVE-2017-15649 kernel: Use-after-free in the af_packet.c
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20170920,repo...
: Security
Depends On: 1490772 1505392 1505423 1505425 1505426 1505429 1505430
Blocks: 1504575
  Show dependency treegraph
 
Reported: 2017-10-20 05:02 EDT by Andrej Nemec
Modified: 2018-08-28 18:24 EDT (History)
46 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that fanout_add() in 'net/packet/af_packet.c' in the Linux kernel, before version 4.13.6, allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free bug.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0151 normal SHIPPED_LIVE Important: kernel security and bug fix update 2018-01-25 11:17:48 EST
Red Hat Product Errata RHSA-2018:0152 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2018-01-25 11:18:22 EST
Red Hat Product Errata RHSA-2018:0181 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2018-01-25 11:26:34 EST

  None (edit)
Description Andrej Nemec 2017-10-20 05:02:56 EDT
net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346.

Upstream patches:

https://github.com/torvalds/linux/commit/008ba2a13f2d04c947adc536d19debb8fe66f110
https://github.com/torvalds/linux/commit/4971613c1639d8e5f102c4e797c3bf8f83a5a69e

References:

https://blogs.securiteam.com/index.php/archives/3484
Comment 2 Vladis Dronov 2017-10-23 09:47:58 EDT
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1505392]
Comment 8 Vladis Dronov 2017-10-23 11:14:02 EDT
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 and 6 as a code with the flaw is not present in the products listed.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 and MRG-2. Future updates for the respective releases may address this issue.
Comment 9 Justin M. Forbes 2017-10-24 13:16:11 EDT
This was fixed with the 4.13.6 kernel for Fedora
Comment 14 errata-xmlrpc 2018-01-25 06:27:01 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0151 https://access.redhat.com/errata/RHSA-2018:0151
Comment 15 errata-xmlrpc 2018-01-25 06:30:19 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0152 https://access.redhat.com/errata/RHSA-2018:0152
Comment 16 errata-xmlrpc 2018-01-25 06:32:32 EST
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2018:0181 https://access.redhat.com/errata/RHSA-2018:0181

Note You need to log in before you can comment on or make changes to this bug.