Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1470659 (CVE-2017-11176) - CVE-2017-11176 kernel: Use-after-free in sys_mq_notify()
Summary: CVE-2017-11176 kernel: Use-after-free in sys_mq_notify()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-11176
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1470660 1476122 1476123 1476124 1476125 1476126 1476127 1476128 1476129 1476130 1476131
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-13 12:13 UTC by Adam Mariš
Modified: 2021-03-11 15:26 UTC (History)
38 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Netlink functionality of the Linux kernel networking subsystem. Due to the insufficient cleanup in the mq_notify function, a local attacker could potentially use this flaw to escalate their privileges on the system.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:16:25 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2918 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2017-10-19 17:24:24 UTC
Red Hat Product Errata RHSA-2017:2930 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-10-19 18:47:35 UTC
Red Hat Product Errata RHSA-2017:2931 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2017-10-19 18:48:35 UTC
Red Hat Product Errata RHSA-2018:0169 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2018-01-25 16:22:33 UTC
Red Hat Product Errata RHSA-2018:3822 0 None None None 2018-12-12 14:53:46 UTC

Description Adam Mariš 2017-07-13 12:13:50 UTC
The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (Use after free) which may lead to memory corruption or other unspecified other impact.

Upstream patch:

https://github.com/torvalds/linux/commit/f991af3daabaecff34684fd51fac80319d1baad1

Mitre advisory: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11176

What is use after free: https://access.redhat.com/use-after-free-flaw-type

Comment 1 Adam Mariš 2017-07-13 12:14:42 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1470660]

Comment 2 Fedora Update System 2017-07-23 22:55:03 UTC
kernel-4.11.11-200.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Eric Christensen 2017-10-10 18:44:42 UTC
Statement:

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5,6,7 and MRG-2.  Future Linux kernel updates for the respective releases may address this issue.

Comment 8 errata-xmlrpc 2017-10-19 13:26:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2017:2918 https://access.redhat.com/errata/RHSA-2017:2918

Comment 9 errata-xmlrpc 2017-10-19 15:05:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2930 https://access.redhat.com/errata/RHSA-2017:2930

Comment 10 errata-xmlrpc 2017-10-19 15:09:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2931 https://access.redhat.com/errata/RHSA-2017:2931

Comment 11 errata-xmlrpc 2018-01-25 11:31:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:0169 https://access.redhat.com/errata/RHSA-2018:0169

Comment 13 errata-xmlrpc 2018-12-12 14:53:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5 Extended Lifecycle Support

Via RHSA-2018:3822 https://access.redhat.com/errata/RHSA-2018:3822


Note You need to log in before you can comment on or make changes to this bug.