Bug 1423071 (CVE-2017-6074) - CVE-2017-6074 kernel: use after free in dccp protocol
Summary: CVE-2017-6074 kernel: use after free in dccp protocol
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-6074
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1425406 (view as bug list)
Depends On: 1423462 1423463 1423464 1423465 1423466 1423467 1424626 1424628 1424633 1425260 1425261 1425262 1425270 1425358 1425359 1425360 1425361 1425362 1425363 1425364 1425511 1425822 1425921 1425924 1427912
Blocks: 1423069
TreeView+ depends on / blocked
 
Reported: 2017-02-17 01:44 UTC by Wade Mealing
Modified: 2021-02-17 02:34 UTC (History)
55 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A use-after-free flaw was found in the way the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local, unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system.
Clone Of:
: 1425406 (view as bug list)
Environment:
Last Closed: 2017-05-09 17:27:38 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0293 0 normal SHIPPED_LIVE Important: kernel security update 2017-02-22 21:56:03 UTC
Red Hat Product Errata RHSA-2017:0294 0 normal SHIPPED_LIVE Important: kernel security update 2017-02-22 22:09:14 UTC
Red Hat Product Errata RHSA-2017:0295 0 normal SHIPPED_LIVE Important: kernel-rt security update 2017-02-24 20:09:33 UTC
Red Hat Product Errata RHSA-2017:0316 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-02-23 22:35:10 UTC
Red Hat Product Errata RHSA-2017:0323 0 normal SHIPPED_LIVE Important: kernel security update 2017-02-24 20:56:33 UTC
Red Hat Product Errata RHSA-2017:0324 0 normal SHIPPED_LIVE Important: kernel security update 2017-02-24 20:31:50 UTC
Red Hat Product Errata RHSA-2017:0345 0 normal SHIPPED_LIVE Important: kernel security update 2017-02-28 19:43:02 UTC
Red Hat Product Errata RHSA-2017:0346 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-02-28 20:03:22 UTC
Red Hat Product Errata RHSA-2017:0347 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-02-28 20:03:15 UTC
Red Hat Product Errata RHSA-2017:0365 0 normal SHIPPED_LIVE Important: kernel security update 2017-03-01 20:44:04 UTC
Red Hat Product Errata RHSA-2017:0366 0 normal SHIPPED_LIVE Important: kernel security update 2017-03-01 20:43:56 UTC
Red Hat Product Errata RHSA-2017:0403 0 normal SHIPPED_LIVE Important: kernel security update 2017-03-02 21:54:23 UTC
Red Hat Product Errata RHSA-2017:0501 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-03-14 18:50:45 UTC
Red Hat Product Errata RHSA-2017:0932 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2017-04-12 14:51:03 UTC
Red Hat Product Errata RHSA-2017:1209 0 normal SHIPPED_LIVE Important: rhev-hypervisor bug fix and enhancement update for RHEV 3.6.11 2017-05-09 20:41:44 UTC

Description Wade Mealing 2017-02-17 01:44:45 UTC
A flaw was found in the linux kernels implementation of DCCP protocol in which a local user could create influence timing in which a skbuff could be used after it had been freed by the kernel.  An attacker is able to craft structures allocated in this free memory will be able to create memory corruption, privilege escalation or crash the system. An attacker must have a local account access on the system, this is not a remote attack. An attack requires IPV6 support to be enabled in the system.

Initial message:

https://groups.google.com/forum/#!topic/syzkaller/_vGUxJLcdKY

Proposed patch:

https://patchwork.ozlabs.org/patch/728808/

Comment 2 Wade Mealing 2017-02-17 06:26:51 UTC
Mitigation:

Recent versions of the SELinux policy can mitigate this flaw. The steps below will work with SELinux enabled or disabled.

As the DCCP module will be auto-loaded when required, its use can be disabled 
by preventing the module from loading with the following instructions:

  # echo "install dccp /bin/true" >> /etc/modprobe.d/disable-dccp.conf 
 
The system will need to be restarted if the DCCP modules are loaded. In most circumstances, the DCCP kernel modules will be unable to be unloaded while any network interfaces are active and the protocol is in use.

If you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services.

Comment 3 Wade Mealing 2017-02-17 07:16:34 UTC
Statement:

This issue affects Red Hat Enterprise Linux 5, 6, 7, and Red Hat Enterprise MRG 2 kernels.

As this issue is rated as Important, it has been scheduled to be fixed in a future version of Red Hat Enterprise Linux 5, 6, 7, and Red Hat Enterprise MRG 2  kernels.

Comment 4 Wade Mealing 2017-02-17 07:26:21 UTC
Acknowledgements:

Name: Andrey Konovalov (Google)

Comment 18 Frank Ch. Eigler 2017-02-18 15:23:14 UTC
The following small systemtap script appears to work as a band-aid around this problem, by blocking the initial connect() call.  It requires the appropriate kernel-debuginfo / kernel-devel installed, as aided by the stap-prep script.  It's been tested on RHEL5 & Fedora25.

# stap-prep
[install stuff if needed]

# cat > deccp.stp << 'EOF'
probe module("dccp*").function("dccp_v?_connect") {
   $addr_len = 0;
   printf("%s[%d] DCCP socket connect denied\n", execname(), tid())
}
probe begin { printf("DCCP band-aid active\n") }
probe end,error { printf("DCCP band-aid shutdown\n") }
EOF

# stap -g deccp.stp
DCCP band-aid active
trigger[24951] DCCP socket connect denied
trigger[24960] DCCP socket connect denied
trigger[24969] DCCP socket connect denied
trigger[24978] DCCP socket connect denied
trigger[24987] DCCP socket connect denied
^CDCCP band-aid shutdown

#

This band-aid will not persist between system reboots or cancellation of the systemtap script.

Comment 19 Vincent Danen 2017-02-18 18:14:47 UTC
This was assigned CVE-2017-6074.

Comment 25 Petr Matousek 2017-02-22 14:20:01 UTC
*** Bug 1425406 has been marked as a duplicate of this bug. ***

Comment 26 Petr Matousek 2017-02-22 14:24:06 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1425822]

Comment 29 errata-xmlrpc 2017-02-22 16:23:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:0295 https://rhn.redhat.com/errata/RHSA-2017-0295.html

Comment 30 errata-xmlrpc 2017-02-22 16:56:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0293 https://rhn.redhat.com/errata/RHSA-2017-0293.html

Comment 31 errata-xmlrpc 2017-02-22 17:09:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:0294 https://rhn.redhat.com/errata/RHSA-2017-0294.html

Comment 32 Vincent Danen 2017-02-22 20:48:49 UTC
External References:

https://access.redhat.com/node/2934281

Comment 33 errata-xmlrpc 2017-02-23 17:37:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2017:0316 https://rhn.redhat.com/errata/RHSA-2017-0316.html

Comment 34 errata-xmlrpc 2017-02-24 15:32:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Telco Extended Update Support

Via RHSA-2017:0324 https://rhn.redhat.com/errata/RHSA-2017-0324.html

Comment 35 errata-xmlrpc 2017-02-24 15:57:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2017:0323 https://rhn.redhat.com/errata/RHSA-2017-0323.html

Comment 38 krsebi 2017-02-28 10:12:50 UTC
- IS IPV6 blocking a solution?

 # sysctl net.ipv6.conf.all.disable_ipv6=1


- ifconfig 
  : IPv6 remove

Comment 39 Vladis Dronov 2017-02-28 12:18:43 UTC
hello, krsebi,

yes, disabling ipv6 mitigates the flaw as the problem connect() call cannot be made (despite socket(), listen() and setsockopt() still being successful):

# sysctl -w net.ipv6.conf.all.disable_ipv6=1

# strace ./trigger 
...
socket(PF_INET6, SOCK_DCCP, IPPROTO_IP) = 3
bind(3, {sa_family=AF_INET6, sin6_port=htons(20002), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 32) = -1 EADDRNOTAVAIL (Cannot assign requested address)
listen(3, 9)                            = 0
setsockopt(3, SOL_IPV6, 0x31 /* IPV6_??? */, [8], 4) = 0
socket(PF_INET6, SOCK_DCCP, IPPROTO_IP) = 4
connect(4, {sa_family=AF_INET6, sin6_port=htons(20002), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 32) = -1 ENETUNREACH (Network is unreachable)

the reproducer rhel-7.3 system is crashing/locking-up with ipv6 enabled after running the reproducer, but stays up fine with net.ipv6.conf.all.disable_ipv6=1.

Comment 40 krsebi 2017-02-28 13:38:47 UTC
 Hello, Vladis Dronov,

 Thank you very much for your lending a helping hand.

Comment 41 errata-xmlrpc 2017-02-28 14:43:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2017:0345 https://rhn.redhat.com/errata/RHSA-2017-0345.html

Comment 42 errata-xmlrpc 2017-02-28 15:04:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5.6 Long Life

Via RHSA-2017:0347 https://rhn.redhat.com/errata/RHSA-2017-0347.html

Comment 44 errata-xmlrpc 2017-02-28 15:06:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5.9 Long Life

Via RHSA-2017:0346 https://rhn.redhat.com/errata/RHSA-2017-0346.html

Comment 47 errata-xmlrpc 2017-03-01 15:44:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support
  Red Hat Enterprise Linux 6.5 Telco Extended Update Support

Via RHSA-2017:0366 https://rhn.redhat.com/errata/RHSA-2017-0366.html

Comment 48 errata-xmlrpc 2017-03-01 15:44:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.2 Advanced Update Support

Via RHSA-2017:0365 https://rhn.redhat.com/errata/RHSA-2017-0365.html

Comment 49 errata-xmlrpc 2017-03-02 16:54:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.1 Extended Update Support

Via RHSA-2017:0403 https://rhn.redhat.com/errata/RHSA-2017-0403.html

Comment 57 errata-xmlrpc 2017-03-14 14:58:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Extended Update Support

Via RHSA-2017:0501 https://rhn.redhat.com/errata/RHSA-2017-0501.html

Comment 63 errata-xmlrpc 2017-04-12 10:54:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2017:0932 https://access.redhat.com/errata/RHSA-2017:0932

Comment 64 errata-xmlrpc 2017-05-09 16:45:57 UTC
This issue has been addressed in the following products:

  RHEV 3.X Hypervisor and Agents for RHEL-6
  RHEV 3.X Hypervisor and Agents for RHEL-7

Via RHSA-2017:1209 https://access.redhat.com/errata/RHSA-2017:1209


Note You need to log in before you can comment on or make changes to this bug.