Hide Forgot
A heap overflow vulnerability was found in the Linux kernel in macsec module. Specifying MAX_SKB_FRAGS + 1 and using NETIF_F_FRAGLIST which calls skb_to_sgvec will overflow the heap. Upstream patches: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=4d6fa57b4dab0d77f4d8e9d9c73d1e63f6fe8fee https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=5294b83086cc1c35b4efeca03644cf9d12282e5b
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1445208]
References: http://seclists.org/oss-sec/2017/q2/119
I found this vulnerability and reported it prior to oss-sec. The original email to oss-sec is here: http://www.openwall.com/lists/oss-security/2017/04/24/4 The LKML discussion took place here: https://lkml.org/lkml/2017/4/21/689
Statement: This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2. This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 starting with the version kernel-3.10.0-514.el7, that is with Red Hat Enterprise Linux 7.3 GA. Prior Red Hat Enterprise Linux 7 kernel versions are not affected. In order to exploit this issue, the system needs to be manually configured by privileged user. The default Red Hat Enterprise Linux 7 configuration is not vulnerable.
A subsequent upstream patch is here: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=5294b83086cc1c35b4efeca03644cf9d12282e5b This *must* be applied to receive protection.
Mitigation: Red Hat recommends blacklisting the kernel module to prevent its use. This will prevent accidental version loading by administration and also mitigate the flaw if a kernel with the affected module is booted. As the macsec module will be auto-loaded when required, its use can be disabled by preventing the module from loading with the following instructions: Raw # echo "install macsec /bin/true" >> /etc/modprobe.d/disable-macsec.conf If macsec functionality is in use as a functional part of the system a kernel upgrade is required.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:1615 https://access.redhat.com/errata/RHSA-2017:1615
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:1616 https://access.redhat.com/errata/RHSA-2017:1616