Bugzilla – Bug 866101
VUL-0: CVE-2014-0100: kernel: net: remote crash via a race condition in the inet frag code
Last modified: 2015-02-19 01:48:21 UTC
The race seems to be introduced in v3.9-rc1 by 3ef0eb0db net: frag, move LRU list maintenance outside of rwlock The code in SLE11 SP2/SP3 still does the LRU insertion under the main lock of struct inet_frags. But I better check again tomorrow as we still have three separated implementations of fragment handling (IPv4, IPv6 and IPv6 nfconntrack) and the code was touched substantially by the fix for bnc#773577 and the follow-up fix (bnc#835094).
(In reply to comment #2) > The code in SLE11 SP2/SP3 still does the LRU insertion under the main > lock of struct inet_frags. I omitted the important part: ...held for write
bugbot adjusting priority
I checked again and SLE11-SP3 and older are not affected as they add the entry to LRU holding the main lock of struct inet_frags for write. The same is true for openSUSE-12.3 So the only affected branches should be SLE12 and openSUSE-13.1 (not counting master, of course). Is the fix supposed to get into SLE12 Beta 2? If so, what branch should I commit it to?
Thanks for the research! There is no specific hurry for SLE12. So you can hold of comitting until the embargo ends.
public Date: Tue, 4 Mar 2014 11:58:48 +0100 From: Petr Matousek <pmatouse@redhat.com> A very subtle race condition between inet_frag_evictor, inet_frag_intern and the IPv4/6 frag_queue and expire functions (basically the users of inet_frag_kill/inet_frag_put) was found. What happens is that after a fragment has been added to the hash chain but before it's been added to the lru_list (inet_frag_lru_add), it may get deleted (either by an expired timer if the system load is high or the timer sufficiently low, or by the fraq_queue function for different reasons) before it's added to the lru_list, then after it gets added it's a matter of time for the evictor to get to a piece of memory which has been freed leading to a number of different bugs depending on what's left there. Introduced by: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3ef0eb0d Upstream patch submission: http://patchwork.ozlabs.org/patch/325844/ References: https://bugzilla.redhat.com/show_bug.cgi?id=1070618 -- Petr Matousek / Red Hat Security Response Team PGP: 0xC44977CA 8107 AF16 A416 F9AF 18F3 D874 3E78 6F42 C449 77CA
openSUSE-SU-2014:0985-1: An update that solves 14 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 768714,851686,855657,866101,867531,867723,879071,880484,882189,883518,883724,883795,884840,885422,885725,886629 CVE References: CVE-2014-0100,CVE-2014-0131,CVE-2014-2309,CVE-2014-3917,CVE-2014-4014,CVE-2014-4171,CVE-2014-4508,CVE-2014-4652,CVE-2014-4653,CVE-2014-4654,CVE-2014-4655,CVE-2014-4656,CVE-2014-4667,CVE-2014-4699 Sources used: openSUSE 13.1 (src): cloop-2.639-11.13.1, crash-7.0.2-2.13.1, hdjmod-1.28-16.13.1, ipset-6.21.1-2.17.1, iscsitarget-1.4.20.3-13.13.1, kernel-docs-3.11.10-21.3, kernel-source-3.11.10-21.1, kernel-syms-3.11.10-21.1, ndiswrapper-1.58-13.1, pcfclock-0.44-258.13.1, vhba-kmp-20130607-2.14.1, virtualbox-4.2.18-2.18.1, xen-4.3.2_01-21.1, xtables-addons-2.3-2.13.1