1112859 – (CVE-2018-18559) VUL-0: CVE-2018-18559: kernel-source: Use-after-free due to race condition in AF_PACKET implementation

Bug 1112859 (CVE-2018-18559) - VUL-0: CVE-2018-18559: kernel-source: Use-after-free due to race condition in AF_PACKET implementation

Summary: VUL-0: CVE-2018-18559: kernel-source: Use-after-free due to race condition in...

Status:	RESOLVED FIXED

Alias:	CVE-2018-18559

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/217761/
Whiteboard:	CVSSv3:SUSE:CVE-2018-18559:7.8:(AV:L/...
Keywords:

Depends on:
Blocks:	1112921
	Show dependency tree / graph

Clone This Bug

Reported:	2018-10-23 08:37 UTC by Karol Babioch
Modified:	2024-07-04 09:13 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Karol Babioch 2018-10-23 08:37:59 UTC

In the Linux kernel through 4.19, a use-after-free can occur due to a race condition between fanout_add from setsockopt and bind on an AF_PACKET socket. This issue exists because of the 15fe076edea787807a7cdc168df832544b58eba6 incomplete fix for a race condition. The code mishandles a certain multithreaded case involving a packet_do_bind unregister action followed by a packet_notifier register action. Later, packet_release operates on only one of the two applicable linked lists. The attacker can achieve Program Counter control.


External Reference:
https://blogs.securiteam.com/index.php/archives/3731

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1641878
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18559

Comment 2 Michal Kubeček 2018-11-02 08:18:50 UTC

Based on the description, affected branches should be those where commit
15fe076edea7 was needed, i.e. 4.4 based and newer. This race started with
mainline commit 30f7ea1c2b5f ("packet: race condition in packet_bind") which
wasn't backported to any of our older branches.

There is no fix in net tree yet, AFAICS, or submitted to netdev mailing list.
I'll take a closer look at the code later today.

Comment 4 Marcus Meissner 2019-01-16 15:03:04 UTC

30f7ea1c2b5f would be 4.4
15fe076edea7 being the fix would be 4.15

so 4.4 -> 4.15 affected

Comment 5 Marcus Meissner 2019-01-16 15:15:49 UTC

sle15 and sle12sp4: patches.fixes/net-packet-fix-a-race-in-packet_bind-and-packet_noti.patch

SLE12 SP2 and SP3:
patches.kernel.org/4.4.106-100-net-packet-fix-a-race-in-packet_bind-and-pack.patch:Git-commit: 15fe076edea787807a7cdc168df832544b58eba6
patches.kernel.org/4.4.106-100-net-packet-fix-a-race-in-packet_bind-and-pack.patch:[ Upstream commit 15fe076edea787807a7cdc168df832544b58eba6 ]

Comment 6 Michal Kubeček 2019-01-21 10:07:54 UTC

I'm not sure. I must admit I had also trouble understanding the race condition
described in the article but I wasn't sure if it's me or if the claim is not
correct.

Based on the claim that "The vulnerability has been resolved in the latest
Linux Kernel version 4.17.11", I also checked mainline commit
  
  945d015ee0c3  net/packet: fix use-after-free

(v4.18-rc3) which has been backported into 4.17.9 (there is nothing remotely
related between 4.17.10 and 4.17.11) but it doesn't seem to match their
description either.

Comment 7 Marcus Meissner 2019-03-18 15:12:27 UTC

for SLE15 and SLES 12 SP4 this was included in GA.

Comment 8 Gabriele Sonnu 2022-04-07 09:04:36 UTC

Done.

Comment 9 Gabriele Sonnu 2022-04-07 09:06:41 UTC

Closing.