Bug 1446103 (CVE-2017-7895) - CVE-2017-7895 kernel: NFSv3 server does not properly handle payload bounds checking of WRITE requests
Summary: CVE-2017-7895 kernel: NFSv3 server does not properly handle payload bounds ch...
Status: CLOSED ERRATA
Alias: CVE-2017-7895
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20170428,repo...
Keywords: Security
Depends On: 1443204 1446541 1446755 1446763 1449274 1449275 1449282 1449284 1449285 1449286 1450871 1450872 1450873 1450874 1450876 1450877 1450878 1455248 1455253
Blocks: 1446105
TreeView+ depends on / blocked
 
Reported: 2017-04-27 09:34 UTC by Andrej Nemec
Modified: 2017-09-15 09:33 UTC (History)
40 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lacked certain checks for the end of a buffer. A remote attacker could trigger a pointer-arithmetic error or possibly cause other unspecified impacts using crafted requests related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-09-15 09:33:54 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1615 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-06-29 16:41:56 UTC
Red Hat Product Errata RHSA-2017:1616 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2017-06-28 20:57:58 UTC
Red Hat Product Errata RHSA-2017:1647 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2017-06-28 20:34:27 UTC
Red Hat Product Errata RHSA-2017:1715 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-07-11 20:10:49 UTC
Red Hat Product Errata RHSA-2017:1723 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-07-11 22:45:35 UTC
Red Hat Product Errata RHSA-2017:1766 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-07-18 16:13:50 UTC
Red Hat Product Errata RHSA-2017:1798 normal SHIPPED_LIVE Important: kernel security update 2017-07-24 23:08:54 UTC
Red Hat Product Errata RHSA-2017:2412 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-08-02 13:59:24 UTC
Red Hat Product Errata RHSA-2017:2428 normal SHIPPED_LIVE Important: kernel security update 2017-08-08 15:00:55 UTC
Red Hat Product Errata RHSA-2017:2429 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-08-08 15:00:33 UTC
Red Hat Product Errata RHSA-2017:2472 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-08-15 14:33:46 UTC
Red Hat Product Errata RHSA-2017:2732 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-09-14 17:57:58 UTC

Description Andrej Nemec 2017-04-27 09:34:25 UTC
The NFSv3 server in the Linux kernel does not properly handle payload bounds checking of WRITE requests, which allows remote attackers to read up to about 1 MB - 4096 bytes of kernel memory to a file. Write access to a NFS mount is required.

References:

http://seclists.org/oss-sec/2017/q2/196

Upstream patch:

https://github.com/torvalds/linux/commit/13bf9fbff0e5e099e2b6f003a0ab8ae145436309

Comment 1 Andrej Nemec 2017-04-27 09:34:35 UTC
Acknowledgments:

Name: Ari Kauppi

Comment 2 Andrej Nemec 2017-04-28 10:18:26 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1446541]

Comment 6 Vladis Dronov 2017-05-09 13:59:49 UTC
Statement:

This issue affects the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2. Future kernel updates for Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2 may address this issue.

Comment 17 errata-xmlrpc 2017-06-28 16:36:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2017:1647 https://access.redhat.com/errata/RHSA-2017:1647

Comment 18 errata-xmlrpc 2017-06-28 17:05:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1615 https://access.redhat.com/errata/RHSA-2017:1615

Comment 19 errata-xmlrpc 2017-06-28 17:09:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1616 https://access.redhat.com/errata/RHSA-2017:1616

Comment 20 errata-xmlrpc 2017-07-11 16:12:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2017:1715 https://access.redhat.com/errata/RHSA-2017:1715

Comment 21 errata-xmlrpc 2017-07-11 18:49:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:1723 https://access.redhat.com/errata/RHSA-2017:1723

Comment 22 errata-xmlrpc 2017-07-18 12:15:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Extended Update Support

Via RHSA-2017:1766 https://access.redhat.com/errata/RHSA-2017:1766

Comment 23 errata-xmlrpc 2017-07-24 19:10:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Telco Extended Update Support

Via RHSA-2017:1798 https://access.redhat.com/errata/RHSA-2017:1798

Comment 24 errata-xmlrpc 2017-08-02 10:01:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5 Extended Lifecycle Support

Via RHSA-2017:2412 https://access.redhat.com/errata/RHSA-2017:2412

Comment 25 errata-xmlrpc 2017-08-08 11:01:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2017:2429 https://access.redhat.com/errata/RHSA-2017:2429

Comment 26 errata-xmlrpc 2017-08-08 11:02:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support
  Red Hat Enterprise Linux 6.5 Telco Extended Update Support

Via RHSA-2017:2428 https://access.redhat.com/errata/RHSA-2017:2428

Comment 27 errata-xmlrpc 2017-08-15 10:34:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5.9 Long Life

Via RHSA-2017:2472 https://access.redhat.com/errata/RHSA-2017:2472

Comment 28 errata-xmlrpc 2017-09-14 13:59:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.2 Advanced Update Support

Via RHSA-2017:2732 https://access.redhat.com/errata/RHSA-2017:2732


Note You need to log in before you can comment on or make changes to this bug.