Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1516257 - (CVE-2017-16648) CVE-2017-16648 kernel: Use-after-free in drivers/media/dvb-core/dvb_frontend.c
CVE-2017-16648 kernel: Use-after-free in drivers/media/dvb-core/dvb_frontend.c
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20171023,repor...
: Security
Depends On: 1546038 1516274 1546036 1546037
Blocks: 1516259
  Show dependency treegraph
 
Reported: 2017-11-22 06:27 EST by Andrej Nemec
Modified: 2018-10-30 04:56 EDT (History)
46 users (show)

See Also:
Fixed In Version: kernel 4.14
Doc Type: If docs needed, set a value
Doc Text:
The dvb frontend management subsystem in the Linux kernel contains a use-after-free which can allow a malicious user to write to memory that may be assigned to another kernel structure. This could create memory corruption, panic, or possibly other side affects.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2948 None None None 2018-10-30 04:56 EDT

  None (edit)
Description Andrej Nemec 2017-11-22 06:27:22 EST 
The dvb_frontend_free function in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device. NOTE: the function was later renamed __dvb_frontend_free.

References:

https://groups.google.com/forum/#!msg/syzkaller/0HJQqTm0G_g/T931ItskBAAJ

https://patchwork.kernel.org/patch/10046189/

Upstream Fixes:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b1cb7372fa822af6c06c8045963571d13ad6348b

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b1728ff617f88a1f7a5d8c8f21fe17a2f6af5d16
Comment 1 Andrej Nemec 2017-11-22 06:53:03 EST 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1516274]
Comment 6 Eric Christensen 2018-02-19 10:20:04 EST 
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6, 7, MRG-2 and real-time kernels.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux kernel-alt package.

Future Linux kernel updates for the respective releases may address this issue.
Comment 7 errata-xmlrpc 2018-10-30 04:56:30 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:2948
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.