Bug 1466329 (CVE-2017-8797) - CVE-2017-8797 kernel: NFSv4 server does not properly validate layout type when processing NFSv4 pNFS LAYOUTGET operand
Summary: CVE-2017-8797 kernel: NFSv4 server does not properly validate layout type whe...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-8797
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1460365 1464919 1466330 1466899 1466901 1466902 1466903 1466904 1466905
Blocks: 1466331
TreeView+ depends on / blocked
 
Reported: 2017-06-29 12:48 UTC by Adam Mariš
Modified: 2021-02-17 01:59 UTC (History)
33 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:15:43 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1842 0 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2017-08-01 18:22:09 UTC
Red Hat Product Errata RHSA-2017:2077 0 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2017-08-01 18:13:37 UTC
Red Hat Product Errata RHSA-2017:2437 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-08-08 20:14:23 UTC
Red Hat Product Errata RHSA-2017:2669 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2017-09-07 00:36:52 UTC

Description Adam Mariš 2017-06-29 12:48:58 UTC 
The NFSv4 server in the Linux kernel does not properly validate layout type when processing NFSv4 pNFS LAYOUTGET operand. The provided input value is not properly validated and is used for array dereferencing. OOPS is triggered which leads to DoS of knfsd and eventually to soft-lockup of whole system. In addition, on normal processing path there is a C undefined behavior weakness that can lead to out of bounds array dereferencing.

The attack vector requires that the attack host is within host mask of exported NFSv4 mount or source address spoofing is not properly mitigated in the network. The attack payload fits to single one-way UDP packet. The kernel must be compiled with CONFIG_NFSD_PNFS enabled.

References:

http://seclists.org/oss-sec/2017/q2/615

Upstream fixes:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b550a32e60a4941994b437a8d662432a486235a5

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f961e3f2acae94b727380c0b74e2d3954d0edf79
Comment 1 Adam Mariš 2017-06-29 12:49:41 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1466330]
Comment 6 Vladis Dronov 2017-06-30 17:51:13 UTC 
Statement:

This issue does not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5, 6 as the code with the flaw is not present in the products listed.

This issue affects the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 7 and Red Hat Enterprise MRG 2. Future kernel updates for these products may address this issue.
Comment 7 errata-xmlrpc 2017-08-01 19:17:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2077 https://access.redhat.com/errata/RHSA-2017:2077
Comment 9 errata-xmlrpc 2017-08-02 07:57:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1842 https://access.redhat.com/errata/RHSA-2017:1842
Comment 10 errata-xmlrpc 2017-08-08 16:21:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Extended Update Support

Via RHSA-2017:2437 https://access.redhat.com/errata/RHSA-2017:2437
Comment 11 errata-xmlrpc 2017-09-06 20:43:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2017:2669 https://access.redhat.com/errata/RHSA-2017:2669
Comment 12 Justin M. Forbes 2018-01-29 17:22:11 UTC 
This issue was fixed for Fedora in the 4.11.3 stable updates
Note You need to log in before you can comment on or make changes to this bug.