Bug 1660375 (CVE-2018-16884) - CVE-2018-16884 kernel: nfs: use-after-free in svc_process_common()
Summary: CVE-2018-16884 kernel: nfs: use-after-free in svc_process_common()
Status: NEW
Alias: CVE-2018-16884
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20181127,repo...
Keywords: Security
Depends On: 1653675 1660818 1660819 1660820 1660821 1660822 1660823 1660824 1660825
Blocks: 1660379
TreeView+ depends on / blocked
 
Reported: 2018-12-18 08:54 UTC by Andrej Nemec
Modified: 2019-01-15 17:23 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Andrej Nemec 2018-12-18 08:54:58 UTC
A flaw was found in the Linux kernel in the NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.

References:

https://seclists.org/oss-sec/2018/q4/267

A proposed patchset:

https://patchwork.kernel.org/cover/10733767/

https://patchwork.kernel.org/patch/10733769/

Comment 3 Vladis Dronov 2018-12-18 22:16:37 UTC
Acknowledgements:

Name: Vasily Averin (Virtuozzo), Evgenii Shatokhin (Virtuozzo)

Comment 4 Vladis Dronov 2018-12-19 10:11:26 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1660825]


Note You need to log in before you can comment on or make changes to this bug.