Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1629636 - (CVE-2018-14641) CVE-2018-14641 kernel: a bug in ip_frag_reasm() can cause a crash in ip_do_fragment()
CVE-2018-14641 kernel: a bug in ip_frag_reasm() can cause a crash in ip_do_fr...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20180918:0900...
: Security
Depends On: 1630276 1616059 1629657 1629658 1630279
Blocks: 1629630
  Show dependency treegraph
 
Reported: 2018-09-17 04:40 EDT by Vladis Dronov
Modified: 2018-10-30 05:05 EDT (History)
48 users (show)

See Also:
Fixed In Version: kernel 4.19-rc4
Doc Type: If docs needed, set a value
Doc Text:
A security flaw was found in the ip_frag_reasm() function in net/ipv4/ip_fragment.c in the Linux kernel which can cause a later system crash in ip_do_fragment(). With certain non-default, but non-rare, configuration of a victim host, an attacker can trigger this crash remotely, thus leading to a remote denial of service.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2948 None None None 2018-10-30 05:05 EDT

  None (edit)
Description Vladis Dronov 2018-09-17 04:40:17 EDT 
A security flaw was found in the ip_frag_reasm() function in net/ipv4/ip_fragment.c in the Linux kernel which can cause a later system crash in ip_do_fragment(). With certain non-default but non-rare configuration of a victim host an attacker can trigger this crash remotely, thus leading to a remote denial-of-service.

References:

https://seclists.org/oss-sec/2018/q3/248

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5d407b071dc369c26a38398326ee2be53651cfe4
Comment 4 Vladis Dronov 2018-09-17 05:12:34 EDT 
Note:

The fix is the upstream commit 5d407b071dc3 ("ip: frags: fix crash in ip_do_fragment()") and it is fixing fa0f527358bd ("ip: use rb trees for IP frag queue."). Namely, the following part of fa0f527358bd which unions sk and ip_defrag_offset fields of struct sk_buff has introduced the vulnerability:

+++ b/include/linux/skbuff.h
@@ -676,13 +676,16 @@ struct sk_buff {
+
+       union {
+               struct sock             *sk;
+               int                     ip_defrag_offset;
+       };

Only Red Hat Enterprise Linux 7 for ARM 64 and Red Hat Enterprise Linux 7 for Power 9 LE (the RHEL-ALT product) has backported this part of fa0f527358bd and so is vulnerable to this flaw. Future Linux kernel updates for this product may address this issue.
Comment 6 Vladis Dronov 2018-09-18 06:05:44 EDT 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1630279]
Comment 8 errata-xmlrpc 2018-10-30 05:05:09 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:2948
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.