A security flaw was found in the ip_frag_reasm() function in net/ipv4/ip_fragment.c in the Linux kernel which can cause a later system crash in ip_do_fragment(). With certain non-default but non-rare configuration of a victim host an attacker can trigger this crash remotely, thus leading to a remote denial-of-service. References: https://seclists.org/oss-sec/2018/q3/248 An upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5d407b071dc369c26a38398326ee2be53651cfe4
Note: The fix is the upstream commit 5d407b071dc3 ("ip: frags: fix crash in ip_do_fragment()") and it is fixing fa0f527358bd ("ip: use rb trees for IP frag queue."). Namely, the following part of fa0f527358bd which unions sk and ip_defrag_offset fields of struct sk_buff has introduced the vulnerability: +++ b/include/linux/skbuff.h @@ -676,13 +676,16 @@ struct sk_buff { + + union { + struct sock *sk; + int ip_defrag_offset; + }; Only Red Hat Enterprise Linux 7 for ARM 64 and Red Hat Enterprise Linux 7 for Power 9 LE (the RHEL-ALT product) has backported this part of fa0f527358bd and so is vulnerable to this flaw. Future Linux kernel updates for this product may address this issue.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1630279]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:2948