Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1480266 (CVE-2017-7558)

Summary: CVE-2017-7558 kernel: Out of bounds read in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() in SCTP stack
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: airlied, ajawarka, ajax, aquini, bhu, blc, bskeggs, dhoward, dominik.mierzejewski, eparis, esandeen, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jglisse, jkacur, jonathan, josef, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, m.a.young, mchehab, mcressma, mjg59, mlangsdo, nhorman, nmurray, pholasek, plougher, quintela, rt-maint, rvrbovsk, security-response-team, slawomir, vdronov, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:20:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1484351, 1484354, 1484355, 1484356, 1484357, 1484358, 1484810    
Bug Blocks:    

Description Pedro Sampaio 2017-08-10 14:32:43 UTC
A kernel data leak due to an out-of-bound read was found in Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since v4.7-rc1 upto v4.13 including. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result upto 100 bytes of the slab data could be leaked to a userspace.

References:

http://seclists.org/oss-sec/2017/q3/338

https://marc.info/?t=150348787500002&r=1&w=2

Proposed upstream patch:

https://marc.info/?l=linux-netdev&m=150348777122761&w=2

Comment 1 Pedro Sampaio 2017-08-10 14:32:55 UTC
Acknowledgments:

Name: Stefano Brivio (Red Hat)

Comment 6 Vladis Dronov 2017-08-23 12:54:40 UTC
Statement:

This issue does not affect Red Hat Enterprise Linux 5 and 6 as the code with the flaw is not present in the products listed.

This issue affects Red Hat Enterprise Linux 7 and Red Hat Enterprise MRG 2. Future updates for the respective releases may address this issue.

Comment 7 Vladis Dronov 2017-08-24 10:46:46 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1484810]

Comment 10 errata-xmlrpc 2017-10-19 13:27:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2017:2918 https://access.redhat.com/errata/RHSA-2017:2918

Comment 11 errata-xmlrpc 2017-10-19 15:07:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2930 https://access.redhat.com/errata/RHSA-2017:2930

Comment 12 errata-xmlrpc 2017-10-19 15:10:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2931 https://access.redhat.com/errata/RHSA-2017:2931