Bug 1655162 (CVE-2018-16871) - CVE-2018-16871 kernel: nfs: NULL pointer dereference due to an anomalized NFS message sequence
Summary: CVE-2018-16871 kernel: nfs: NULL pointer dereference due to an anomalized NFS...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-16871
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1645353 1656285 1656286 1656287 1656288 1672147 1672148 1672149 1672150 1672151 1716249 1732409 1735922 1735923 1739303
Blocks: 1652217
TreeView+ depends on / blocked
 
Reported: 2018-11-30 19:58 UTC by Laura Pardo
Modified: 2023-05-12 21:14 UTC (History)
53 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's NFS implementation. An attacker, who is able to mount an exported NFS filesystem, is able to trigger a null pointer dereference by using an invalid NFS sequence. This can panic the machine and deny access to the NFS server. Any outstanding disk writes to the NFS server will be lost.
Clone Of:
Environment:
Last Closed: 2019-07-29 19:18:20 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:1978 0 None None None 2019-07-30 14:16:35 UTC
Red Hat Product Errata RHBA-2020:2052 0 None None None 2020-05-11 12:53:43 UTC
Red Hat Product Errata RHBA-2020:2626 0 None None None 2020-06-19 01:49:39 UTC
Red Hat Product Errata RHSA-2019:1873 0 None None None 2019-07-29 15:14:27 UTC
Red Hat Product Errata RHSA-2019:1891 0 None None None 2019-07-29 15:15:27 UTC
Red Hat Product Errata RHSA-2019:2696 0 None None None 2019-09-10 13:46:08 UTC
Red Hat Product Errata RHSA-2019:2730 0 None None None 2019-09-11 09:09:19 UTC
Red Hat Product Errata RHSA-2020:0740 0 None None None 2020-03-09 14:31:41 UTC
Red Hat Product Errata RHSA-2020:1567 0 None None None 2020-04-28 15:24:50 UTC
Red Hat Product Errata RHSA-2020:1769 0 None None None 2020-04-28 15:51:08 UTC

Description Laura Pardo 2018-11-30 19:58:15 UTC
A flaw was found in NFS in the Linux Kernel. An attacker who is able to mount an exported NFS filesystem  is able to trigger a null pointer dereference by an invalid NFS sequence.

This can panic the machine and deny access to the NFS server. Any outstanding disk writes to the NFS server will be lost.

Upstream fix:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=01310bb7c9c98752cc763b36532fab028e0f8f81

Comment 8 Steve Dickson 2018-12-08 20:03:31 UTC
It appears rhel7 needs this upstream commit

commit 01310bb7c9c98752cc763b36532fab028e0f8f81
Author: Scott Mayhew <smayhew>
Date:   Thu Nov 8 11:11:36 2018 -0500

    nfsd: COPY and CLONE operations require the saved filehandle to be set
    
    Make sure we have a saved filehandle, otherwise we'll oops with a null
    pointer dereference in nfs4_preprocess_stateid_op().
    
    Signed-off-by: Scott Mayhew <smayhew>
    Cc: stable.org
    Signed-off-by: J. Bruce Fields <bfields>

Since it was our guy that found and fixed I wonder if the
is a bz in he pipline.

Comment 9 Steve Dickson 2018-12-08 20:21:54 UTC
(In reply to Steve Dickson from comment #8)
> It appears rhel7 needs this upstream commit
> 

Confirmed... The patch stops the oops and returns the error...

I looked it does not appear there is another bz opened 
on this problem.... 

Please advise on how to move forward on this...

Comment 14 Laura Pardo 2018-12-17 15:03:18 UTC
Acknowledgments:

Name: Jasu Liedes (Synopsys SIG), Hangbin Liu (Red Hat)

Comment 16 Wade Mealing 2019-02-04 04:31:41 UTC
After review this got bumped to "Moderate" and now qualifies for Z stream. Its kinda nasty and would STILL recommend fixing this.

Comment 22 Wade Mealing 2019-06-03 02:24:24 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1716249]

Comment 23 Justin M. Forbes 2019-06-03 14:15:08 UTC
This was fixed for Fedora with the 4.20 stable rebases.

Comment 24 errata-xmlrpc 2019-07-29 15:14:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1873 https://access.redhat.com/errata/RHSA-2019:1873

Comment 25 errata-xmlrpc 2019-07-29 15:15:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1891 https://access.redhat.com/errata/RHSA-2019:1891

Comment 26 Product Security DevOps Team 2019-07-29 19:18:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-16871

Comment 33 errata-xmlrpc 2019-09-10 13:46:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:2696 https://access.redhat.com/errata/RHSA-2019:2696

Comment 34 errata-xmlrpc 2019-09-11 09:09:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2019:2730 https://access.redhat.com/errata/RHSA-2019:2730

Comment 38 errata-xmlrpc 2020-03-09 14:31:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0740 https://access.redhat.com/errata/RHSA-2020:0740

Comment 40 errata-xmlrpc 2020-04-28 15:24:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1567 https://access.redhat.com/errata/RHSA-2020:1567

Comment 41 errata-xmlrpc 2020-04-28 15:51:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1769 https://access.redhat.com/errata/RHSA-2020:1769


Note You need to log in before you can comment on or make changes to this bug.