Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1480266 (CVE-2017-7558) - CVE-2017-7558 kernel: Out of bounds read in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() in SCTP stack
Summary: CVE-2017-7558 kernel: Out of bounds read in inet_diag_msg_sctp{,l}addr_fill()...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-7558
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1484351 1484354 1484355 1484356 1484357 1484358 1484810
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-10 14:32 UTC by Pedro Sampaio
Modified: 2021-02-17 01:44 UTC (History)
48 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:20:18 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:3163 0 normal SHIPPED_LIVE new packages: kernel-alt 2017-11-09 14:59:25 UTC
Red Hat Product Errata RHSA-2017:2918 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2017-10-19 17:24:24 UTC
Red Hat Product Errata RHSA-2017:2930 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-10-19 18:47:35 UTC
Red Hat Product Errata RHSA-2017:2931 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2017-10-19 18:48:35 UTC

Description Pedro Sampaio 2017-08-10 14:32:43 UTC
A kernel data leak due to an out-of-bound read was found in Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since v4.7-rc1 upto v4.13 including. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result upto 100 bytes of the slab data could be leaked to a userspace.

References:

http://seclists.org/oss-sec/2017/q3/338

https://marc.info/?t=150348787500002&r=1&w=2

Proposed upstream patch:

https://marc.info/?l=linux-netdev&m=150348777122761&w=2

Comment 1 Pedro Sampaio 2017-08-10 14:32:55 UTC
Acknowledgments:

Name: Stefano Brivio (Red Hat)

Comment 6 Vladis Dronov 2017-08-23 12:54:40 UTC
Statement:

This issue does not affect Red Hat Enterprise Linux 5 and 6 as the code with the flaw is not present in the products listed.

This issue affects Red Hat Enterprise Linux 7 and Red Hat Enterprise MRG 2. Future updates for the respective releases may address this issue.

Comment 7 Vladis Dronov 2017-08-24 10:46:46 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1484810]

Comment 10 errata-xmlrpc 2017-10-19 13:27:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2017:2918 https://access.redhat.com/errata/RHSA-2017:2918

Comment 11 errata-xmlrpc 2017-10-19 15:07:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2930 https://access.redhat.com/errata/RHSA-2017:2930

Comment 12 errata-xmlrpc 2017-10-19 15:10:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2931 https://access.redhat.com/errata/RHSA-2017:2931


Note You need to log in before you can comment on or make changes to this bug.