Bug 1655162 (CVE-2018-16871) - CVE-2018-16871 kernel: nfs: NULL pointer dereference due to an anomalized NFS message sequence
Summary: CVE-2018-16871 kernel: nfs: NULL pointer dereference due to an anomalized NFS...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-16871
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190603:0223,...
Depends On: 1656286 1656288 1672150 1735922 1735923 1739303 1645353 1656285 1656287 1672147 1672148 1672149 1672151 1716249
Blocks: 1652217
TreeView+ depends on / blocked
 
Reported: 2018-11-30 19:58 UTC by Laura Pardo
Modified: 2019-08-15 13:52 UTC (History)
53 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's NFS implementation. An attacker, who is able to mount an exported NFS filesystem, is able to trigger a null pointer dereference by using an invalid NFS sequence. This can panic the machine and deny access to the NFS server. Any outstanding disk writes to the NFS server will be lost.
Clone Of:
Environment:
Last Closed: 2019-07-29 19:18:20 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:1978 None None None 2019-07-30 14:16:35 UTC
Red Hat Product Errata RHSA-2019:1873 None None None 2019-07-29 15:14:27 UTC
Red Hat Product Errata RHSA-2019:1891 None None None 2019-07-29 15:15:27 UTC

Description Laura Pardo 2018-11-30 19:58:15 UTC
A flaw was found in NFS in the Linux Kernel. An attacker who is able to mount an exported NFS filesystem  is able to trigger a null pointer dereference by an invalid NFS sequence.

This can panic the machine and deny access to the NFS server. Any outstanding disk writes to the NFS server will be lost.

Upstream fix:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=01310bb7c9c98752cc763b36532fab028e0f8f81

Comment 8 Steve Dickson 2018-12-08 20:03:31 UTC
It appears rhel7 needs this upstream commit

commit 01310bb7c9c98752cc763b36532fab028e0f8f81
Author: Scott Mayhew <smayhew@redhat.com>
Date:   Thu Nov 8 11:11:36 2018 -0500

    nfsd: COPY and CLONE operations require the saved filehandle to be set
    
    Make sure we have a saved filehandle, otherwise we'll oops with a null
    pointer dereference in nfs4_preprocess_stateid_op().
    
    Signed-off-by: Scott Mayhew <smayhew@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>

Since it was our guy that found and fixed I wonder if the
is a bz in he pipline.

Comment 9 Steve Dickson 2018-12-08 20:21:54 UTC
(In reply to Steve Dickson from comment #8)
> It appears rhel7 needs this upstream commit
> 

Confirmed... The patch stops the oops and returns the error...

I looked it does not appear there is another bz opened 
on this problem.... 

Please advise on how to move forward on this...

Comment 14 Laura Pardo 2018-12-17 15:03:18 UTC
Acknowledgments:

Name: Jasu Liedes (Synopsys SIG), Hangbin Liu (Red Hat)

Comment 16 Wade Mealing 2019-02-04 04:31:41 UTC
After review this got bumped to "Moderate" and now qualifies for Z stream. Its kinda nasty and would STILL recommend fixing this.

Comment 22 Wade Mealing 2019-06-03 02:24:24 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1716249]

Comment 23 Justin M. Forbes 2019-06-03 14:15:08 UTC
This was fixed for Fedora with the 4.20 stable rebases.

Comment 24 errata-xmlrpc 2019-07-29 15:14:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1873 https://access.redhat.com/errata/RHSA-2019:1873

Comment 25 errata-xmlrpc 2019-07-29 15:15:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1891 https://access.redhat.com/errata/RHSA-2019:1891

Comment 26 Product Security DevOps Team 2019-07-29 19:18:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-16871


Note You need to log in before you can comment on or make changes to this bug.