An integer overflow issue was found in the way Linux kernel processes TCP Selective Acknowledgement(SACK) segments. While processing SACK segments, Linux kernel's socket buffer(SBK) data structure becomes fragmented. Each fragment is about TCP MSS bytes. To efficiently process SACK blocks, Linux combines multiple fragmented SKB into one. This merging of SKB results in the said integer overflow issue, as more number of segments exceed the 16bit width of 'TCP_SKB_CB(skb)->tcp_gso_segs' parameter in tcp_shifted_skb() routine. A remote attacker could use this flaw to crash the Linux kernel by sending a crafted sequence of SACK segments on a TCP connection with minimum value of TCP MSS, resulting in DoS. Upstream patch: --------------- -> https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=3b4929f65b0d8249f19a50245cd88ed1a2f78cff Reference: ---------- -> https://www.ietf.org/rfc/rfc2018.txt -> http://vger.kernel.org/~davem/skb_data.html -> https://git.kernel.org/linus/832d11c5cd076abc0aa1eaf7be96c81d1a59ce41
Acknowledgments: Name: Jonathan Looney (Netflix Information Security)
Statement: Red Hat Product Security is aware of this issue. Updates will be released as they become available. For additional information, please refer to the Red Hat Knowledgebase article: https://access.redhat.com/security/vulnerabilities/tcpsack
Mitigation: For mitigation, please refer to the Red Hat Knowledgebase article: https://access.redhat.com/security/vulnerabilities/tcpsack
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1721254]
External References: https://www.openwall.com/lists/oss-security/2019/06/17/5 https://patchwork.ozlabs.org/project/netdev/list/?series=114310
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1479 https://access.redhat.com/errata/RHSA-2019:1479
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:1488 https://access.redhat.com/errata/RHSA-2019:1488
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1481 https://access.redhat.com/errata/RHSA-2019:1481
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2019:1482 https://access.redhat.com/errata/RHSA-2019:1482
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Extended Update Support Via RHSA-2019:1483 https://access.redhat.com/errata/RHSA-2019:1483
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.6 Advanced Update Support Via RHSA-2019:1489 https://access.redhat.com/errata/RHSA-2019:1489
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 Advanced Update Support Via RHSA-2019:1490 https://access.redhat.com/errata/RHSA-2019:1490
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Advanced Update Support Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions Red Hat Enterprise Linux 7.2 Telco Extended Update Support Via RHSA-2019:1485 https://access.redhat.com/errata/RHSA-2019:1485
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Advanced Update Support Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions Red Hat Enterprise Linux 7.3 Telco Extended Update Support Via RHSA-2019:1484 https://access.redhat.com/errata/RHSA-2019:1484
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1480 https://access.redhat.com/errata/RHSA-2019:1480
This issue has been addressed in the following products: Red Hat Enterprise MRG 2 Via RHSA-2019:1487 https://access.redhat.com/errata/RHSA-2019:1487
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1486 https://access.redhat.com/errata/RHSA-2019:1486
This issue has been addressed in the following products: Red Hat Virtualization 4.2 for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1594 https://access.redhat.com/errata/RHSA-2019:1594
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1602 https://access.redhat.com/errata/RHSA-2019:1602
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4 (RH CoreOS) Via RHBA-2019:1589 https://access.redhat.com/errata/RHBA-2019:1589
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2019:1699 https://access.redhat.com/errata/RHSA-2019:1699
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11477
OpenShift Container Platform 4 does not ship its own kernel package, instead using versions shipped in RHEL. Removing from flaw bug affects.