Bug 1679764 - kernel: netfilter: out-of-bounds read and write in SNMP NAT module
Summary: kernel: netfilter: out-of-bounds read and write in SNMP NAT module
Keywords:
Status: CLOSED DUPLICATE of bug 1683191
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1683444
Blocks: 1679765
TreeView+ depends on / blocked
 
Reported: 2019-02-21 19:48 UTC by Laura Pardo
Modified: 2020-04-27 18:16 UTC (History)
26 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-03-01 14:57:45 UTC
Embargoed:

Attachments (Terms of Use)

Description Laura Pardo 2019-02-21 19:48:49 UTC 
In Linux Kernel 4.16 the netfilter snmp nat component was rewritten to use the asn1 parser generator. Unfortunately, the grammar defines two callbacks that do NOT check if enough data is provided. This results in an out-of-bounds write into "skb shinfo" area which can lead to privilege escalation.  This might be remotely exploitable if the host is configured for snmp nat.


Introduced in:
https://github.com/torvalds/linux/commit/cc2d58634e0f489d28b5564c05abc69930b4d920

Upstream Patch:
https://github.com/torvalds/linux/commit/c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc
Comment 2 Laura Pardo 2019-02-26 21:04:16 UTC 
Public through:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1776
Comment 3 Laura Pardo 2019-02-26 21:04:33 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1683444]
Comment 4 Justin M. Forbes 2019-02-26 23:04:46 UTC 
Fedora started tracking this in bodhi in 1679972.
Comment 5 Vladis Dronov 2019-03-01 14:57:45 UTC 

*** This bug has been marked as a duplicate of bug 1683191 ***
Note You need to log in before you can comment on or make changes to this bug.