The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (Use after free) which may lead to memory corruption or other unspecified other impact. Upstream patch: https://github.com/torvalds/linux/commit/f991af3daabaecff34684fd51fac80319d1baad1 Mitre advisory: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11176 What is use after free: https://access.redhat.com/use-after-free-flaw-type
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1470660]
kernel-4.11.11-200.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Statement: This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5,6,7 and MRG-2. Future Linux kernel updates for the respective releases may address this issue.
This issue has been addressed in the following products: Red Hat Enterprise MRG 2 Via RHSA-2017:2918 https://access.redhat.com/errata/RHSA-2017:2918
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2930 https://access.redhat.com/errata/RHSA-2017:2930
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2931 https://access.redhat.com/errata/RHSA-2017:2931
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:0169 https://access.redhat.com/errata/RHSA-2018:0169
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Extended Lifecycle Support Via RHSA-2018:3822 https://access.redhat.com/errata/RHSA-2018:3822