Bug 1276437 (CVE-2015-7990) - CVE-2015-7990 kernel: Race condition when sending message on unbound socket causing NULL pointer dereference
Summary: CVE-2015-7990 kernel: Race condition when sending message on unbound socket c...
Status: CLOSED NOTABUG
Alias: CVE-2015-7990
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20151016,repor...
Keywords: Security
Depends On: 1276438 1287424 1287425 1287426 1287427 1287428
Blocks: 1276439
TreeView+ depends on / blocked
 
Reported: 2015-10-29 17:17 UTC by Adam Mariš
Modified: 2016-05-12 01:24 UTC (History)
36 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A denial of service flaw was discovered in the Linux kernel, where a race condition caused a NULL pointer dereference in the RDS socket-creation code. A local attacker could use this flaw to create a situation in which a NULL pointer crashed the kernel.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-12 01:24:57 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Adam Mariš 2015-10-29 17:17:01 UTC
A NULL pointer dereference in the RDS connection code when sending a message to an apparently unbound socket in net/rds/connection.c was found. The problem is caused by the code checking if the socket is bound in rds_sendmsg(), which checks the rs_bound_addr field without taking a lock on the socket.  This opens a race where rs_bound_addr is temporarily set but where the transport is not in rds_bind(), leading to a NULL pointer dereference when trying to dereference 'trans' in __rds_conn_create().

Note that this is a complete fix of CVE-2015-6937 issue.

Patch can be found here:

https://lkml.org/lkml/2015/10/16/530

CVE assignment:

http://seclists.org/oss-sec/2015/q4/179

Workaround:

The Linux kernel will attempt to automatically load the RDS module when the RDS protocol is used from userspace.  The module can be prevented being loaded with the commands:

echo "install rds /bin/true" > /etc/modprobe.d/disable-rds
echo "alias net-pf-28 off" >> /etc/modprobe.d/disable-rds

Earlier versions of Red Hat Enterprise Linux can be disabled with instructions from here: https://access.redhat.com/solutions/41278 

If the module is already loaded prior to this, it must be removed or the system must be rebooted to preven it loading in the future.

Comment 1 Adam Mariš 2015-10-29 17:17:45 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1276438]

Comment 2 Fedora Update System 2015-11-19 09:55:59 UTC
kernel-4.2.6-300.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 3 Fedora Update System 2015-11-19 12:21:07 UTC
kernel-4.2.6-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2015-11-20 23:20:44 UTC
kernel-4.1.13-100.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Wade Mealing 2016-02-01 03:49:44 UTC
Statement:

This issue affects Red Hat enterprise Linux 5 and 6.  The affected code is not available in 7, MRG and realtime kernels.


Note You need to log in before you can comment on or make changes to this bug.