Bug 1423071 - (CVE-2017-6074) CVE-2017-6074 kernel: use after free in dccp protocol
CVE-2017-6074 kernel: use after free in dccp protocol
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20170222,repo...
: Security
: 1425406 (view as bug list)
Depends On: 1423463 1423465 1423466 1423467 1425260 1427912 1423462 1423464 1424626 1424628 1424633 1425261 1425262 1425270 1425358 1425359 1425360 1425361 1425362 1425363 1425364 1425511 1425822 1425921 1425924
Blocks: 1423069
  Show dependency treegraph
 
Reported: 2017-02-16 20:44 EST by Wade Mealing
Modified: 2017-03-22 05:32 EDT (History)
55 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A use-after-free flaw was found in the way the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local, unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system.
Story Points: ---
Clone Of:
: 1425406 (view as bug list)
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Wade Mealing 2017-02-16 20:44:45 EST
A flaw was found in the linux kernels implementation of DCCP protocol in which a local user could create influence timing in which a skbuff could be used after it had been freed by the kernel.  An attacker is able to craft structures allocated in this free memory will be able to create memory corruption, privilege escalation or crash the system. An attacker must have a local account access on the system, this is not a remote attack. An attack requires IPV6 support to be enabled in the system.

Initial message:

https://groups.google.com/forum/#!topic/syzkaller/_vGUxJLcdKY

Proposed patch:

https://patchwork.ozlabs.org/patch/728808/
Comment 2 Wade Mealing 2017-02-17 01:26:51 EST
Mitigation:

Recent versions of the SELinux policy can mitigate this flaw. The steps below will work with SELinux enabled or disabled.

As the DCCP module will be auto-loaded when required, its use can be disabled 
by preventing the module from loading with the following instructions:

  # echo "install dccp /bin/true" >> /etc/modprobe.d/disable-dccp.conf 
 
The system will need to be restarted if the DCCP modules are loaded. In most circumstances, the DCCP kernel modules will be unable to be unloaded while any network interfaces are active and the protocol is in use.

If you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services.
Comment 3 Wade Mealing 2017-02-17 02:16:34 EST
Statement:

This issue affects Red Hat Enterprise Linux 5, 6, 7, and Red Hat Enterprise MRG 2 kernels.

As this issue is rated as Important, it has been scheduled to be fixed in a future version of Red Hat Enterprise Linux 5, 6, 7, and Red Hat Enterprise MRG 2  kernels.
Comment 4 Wade Mealing 2017-02-17 02:26:21 EST
Acknowledgements:

Name: Andrey Konovalov (Google)
Comment 18 Frank Ch. Eigler 2017-02-18 10:23:14 EST
The following small systemtap script appears to work as a band-aid around this problem, by blocking the initial connect() call.  It requires the appropriate kernel-debuginfo / kernel-devel installed, as aided by the stap-prep script.  It's been tested on RHEL5 & Fedora25.

# stap-prep
[install stuff if needed]

# cat > deccp.stp << 'EOF'
probe module("dccp*").function("dccp_v?_connect") {
   $addr_len = 0;
   printf("%s[%d] DCCP socket connect denied\n", execname(), tid())
}
probe begin { printf("DCCP band-aid active\n") }
probe end,error { printf("DCCP band-aid shutdown\n") }
EOF

# stap -g deccp.stp
DCCP band-aid active
trigger[24951] DCCP socket connect denied
trigger[24960] DCCP socket connect denied
trigger[24969] DCCP socket connect denied
trigger[24978] DCCP socket connect denied
trigger[24987] DCCP socket connect denied
^CDCCP band-aid shutdown

#

This band-aid will not persist between system reboots or cancellation of the systemtap script.
Comment 19 Vincent Danen 2017-02-18 13:14:47 EST
This was assigned CVE-2017-6074.
Comment 25 Petr Matousek 2017-02-22 09:20:01 EST
*** Bug 1425406 has been marked as a duplicate of this bug. ***
Comment 26 Petr Matousek 2017-02-22 09:24:06 EST
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1425822]
Comment 29 errata-xmlrpc 2017-02-22 11:23:11 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:0295 https://rhn.redhat.com/errata/RHSA-2017-0295.html
Comment 30 errata-xmlrpc 2017-02-22 11:56:17 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0293 https://rhn.redhat.com/errata/RHSA-2017-0293.html
Comment 31 errata-xmlrpc 2017-02-22 12:09:36 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:0294 https://rhn.redhat.com/errata/RHSA-2017-0294.html
Comment 32 Vincent Danen 2017-02-22 15:48:49 EST
External References:

https://access.redhat.com/node/2934281
Comment 33 errata-xmlrpc 2017-02-23 12:37:52 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2017:0316 https://rhn.redhat.com/errata/RHSA-2017-0316.html
Comment 34 errata-xmlrpc 2017-02-24 10:32:31 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Telco Extended Update Support

Via RHSA-2017:0324 https://rhn.redhat.com/errata/RHSA-2017-0324.html
Comment 35 errata-xmlrpc 2017-02-24 10:57:13 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2017:0323 https://rhn.redhat.com/errata/RHSA-2017-0323.html
Comment 38 krsebi 2017-02-28 05:12:50 EST
- IS IPV6 blocking a solution?

 # sysctl net.ipv6.conf.all.disable_ipv6=1


- ifconfig 
  : IPv6 remove
Comment 39 Vladis Dronov 2017-02-28 07:18:43 EST
hello, krsebi,

yes, disabling ipv6 mitigates the flaw as the problem connect() call cannot be made (despite socket(), listen() and setsockopt() still being successful):

# sysctl -w net.ipv6.conf.all.disable_ipv6=1

# strace ./trigger 
...
socket(PF_INET6, SOCK_DCCP, IPPROTO_IP) = 3
bind(3, {sa_family=AF_INET6, sin6_port=htons(20002), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 32) = -1 EADDRNOTAVAIL (Cannot assign requested address)
listen(3, 9)                            = 0
setsockopt(3, SOL_IPV6, 0x31 /* IPV6_??? */, [8], 4) = 0
socket(PF_INET6, SOCK_DCCP, IPPROTO_IP) = 4
connect(4, {sa_family=AF_INET6, sin6_port=htons(20002), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 32) = -1 ENETUNREACH (Network is unreachable)

the reproducer rhel-7.3 system is crashing/locking-up with ipv6 enabled after running the reproducer, but stays up fine with net.ipv6.conf.all.disable_ipv6=1.
Comment 40 krsebi 2017-02-28 08:38:47 EST
 Hello, Vladis Dronov,

 Thank you very much for your lending a helping hand.
Comment 41 errata-xmlrpc 2017-02-28 09:43:11 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2017:0345 https://rhn.redhat.com/errata/RHSA-2017-0345.html
Comment 42 errata-xmlrpc 2017-02-28 10:04:28 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5.6 Long Life

Via RHSA-2017:0347 https://rhn.redhat.com/errata/RHSA-2017-0347.html
Comment 44 errata-xmlrpc 2017-02-28 10:06:31 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5.9 Long Life

Via RHSA-2017:0346 https://rhn.redhat.com/errata/RHSA-2017-0346.html
Comment 47 errata-xmlrpc 2017-03-01 10:44:12 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support
  Red Hat Enterprise Linux 6.5 Telco Extended Update Support

Via RHSA-2017:0366 https://rhn.redhat.com/errata/RHSA-2017-0366.html
Comment 48 errata-xmlrpc 2017-03-01 10:44:57 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.2 Advanced Update Support

Via RHSA-2017:0365 https://rhn.redhat.com/errata/RHSA-2017-0365.html
Comment 49 errata-xmlrpc 2017-03-02 11:54:35 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.1 Extended Update Support

Via RHSA-2017:0403 https://rhn.redhat.com/errata/RHSA-2017-0403.html
Comment 57 errata-xmlrpc 2017-03-14 10:58:19 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Extended Update Support

Via RHSA-2017:0501 https://rhn.redhat.com/errata/RHSA-2017-0501.html

Note You need to log in before you can comment on or make changes to this bug.