Bug 1504574 (CVE-2017-15649) - CVE-2017-15649 kernel: Use-after-free in the af_packet.c
Summary: CVE-2017-15649 kernel: Use-after-free in the af_packet.c
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-15649
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1490772 1505392 1505423 1505425 1505426 1505429 1505430
Blocks: 1504575
TreeView+ depends on / blocked
 
Reported: 2017-10-20 09:02 UTC by Andrej Nemec
Modified: 2021-02-17 01:20 UTC (History)
45 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that fanout_add() in 'net/packet/af_packet.c' in the Linux kernel, before version 4.13.6, allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free bug.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:29:43 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0151 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2018-01-25 16:17:48 UTC
Red Hat Product Errata RHSA-2018:0152 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2018-01-25 16:18:22 UTC
Red Hat Product Errata RHSA-2018:0181 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2018-01-25 16:26:34 UTC

Description Andrej Nemec 2017-10-20 09:02:56 UTC
net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346.

Upstream patches:

https://github.com/torvalds/linux/commit/008ba2a13f2d04c947adc536d19debb8fe66f110
https://github.com/torvalds/linux/commit/4971613c1639d8e5f102c4e797c3bf8f83a5a69e
https://github.com/torvalds/linux/commit/2bd624b4611ffee36422782d16e1c944d1351e98

References:

https://blogs.securiteam.com/index.php/archives/3484

Comment 2 Vladis Dronov 2017-10-23 13:47:58 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1505392]

Comment 8 Vladis Dronov 2017-10-23 15:14:02 UTC
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 and 6 as a code with the flaw is not present in the products listed.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 and MRG-2. Future updates for the respective releases may address this issue.

Comment 9 Justin M. Forbes 2017-10-24 17:16:11 UTC
This was fixed with the 4.13.6 kernel for Fedora

Comment 14 errata-xmlrpc 2018-01-25 11:27:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0151 https://access.redhat.com/errata/RHSA-2018:0151

Comment 15 errata-xmlrpc 2018-01-25 11:30:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0152 https://access.redhat.com/errata/RHSA-2018:0152

Comment 16 errata-xmlrpc 2018-01-25 11:32:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2018:0181 https://access.redhat.com/errata/RHSA-2018:0181


Note You need to log in before you can comment on or make changes to this bug.