Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1400019 (CVE-2016-8655) - CVE-2016-8655 kernel: Race condition in packet_set_ring leads to use after free
Summary: CVE-2016-8655 kernel: Race condition in packet_set_ring leads to use after free
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-8655
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1401820 1401852 1401853 1401854 1401855 1401856 1401857
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-30 10:02 UTC by Adam Mariš
Modified: 2021-02-05 18:54 UTC (History)
37 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system.
Clone Of:
Environment:
Last Closed: 2017-09-05 05:04:33 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0386 0 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2017-03-02 22:06:10 UTC
Red Hat Product Errata RHSA-2017:0387 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2017-03-02 22:06:22 UTC
Red Hat Product Errata RHSA-2017:0402 0 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2017-03-02 21:04:05 UTC

Description Adam Mariš 2016-11-30 10:02:22 UTC
A race condition vulnerability was found in packet_set_ring that can lead to use after free on a function pointer. This vulnerability can be used to gain kernel code execution for the local attacker capable of creating AF_PACKET sockets. This issue was introduced with following commit:

https://github.com/torvalds/linux/commit/f6fb8f100b807378fda19e83e5ac6828b638603a

Comment 1 Adam Mariš 2016-11-30 10:02:36 UTC
Acknowledgments:

Name: Philip Pettersson

Comment 4 Andrej Nemec 2016-12-06 08:10:58 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1401820]

Comment 5 Andrej Nemec 2016-12-06 08:11:21 UTC
Public via:

http://seclists.org/oss-sec/2016/q4/607

Comment 7 Petr Matousek 2016-12-06 09:15:16 UTC
Statement:

This issue does not affect Red Hat Enterprise Linux 5 and 6.

This issue does affect Red Hat Enterprise Linux 7 and Red Hat Enterprise MRG 2. Future updates for the respective releases will address this issue.

In a default or common use of Red Hat Enterprise Linux 7 this issue does not allow an unprivileged local user elevate their privileges on the system.

In order to exploit this issue the attacker needs CAP_NET_RAW capability, which needs to be granted by the administrator to the attacker's account. Since Red Hat Enterprise Linux 7 does not have unprivileged user namespaces enabled by default, local unprivileged users also cannot abuse namespaces to grant this capability to themselves and elevate their privileges.

Comment 22 dafox7777777 2017-01-24 08:52:34 UTC
bump

Comment 23 errata-xmlrpc 2017-03-02 16:04:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2017:0402 https://rhn.redhat.com/errata/RHSA-2017-0402.html

Comment 24 errata-xmlrpc 2017-03-02 17:16:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:0386 https://rhn.redhat.com/errata/RHSA-2017-0386.html

Comment 25 errata-xmlrpc 2017-03-02 17:25:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:0387 https://rhn.redhat.com/errata/RHSA-2017-0387.html


Note You need to log in before you can comment on or make changes to this bug.