CVE-2018-14641: Linux kernel: a security flaw in the ip_frag_reasm()

[Vladis Dronov <vdronov () redhat com>]

Heololo,

A security flaw was found in the ip_frag_reasm() function in
net/ipv4/ip_fragment.c in the Linux kernel which can cause a later system crash
in ip_do_fragment(). With certain non-default but non-rare configuration of
a victim host an attacker can trigger this crash remotely, thus leading to a
remote denial-of-service.

The CVE-ID CVE-2018-14641 was assigned to this flaw and we would suggest to use
it in the public communications.

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1629636

The flaw was introduced in:

$ git tag --contain fa0f527358bd
v4.19-rc1

and fixed in:

$ git tag --contain 5d407b071dc3
v4.19-rc4

The fix is the upstream commit 5d407b071dc3 ("ip: frags: fix crash in
ip_do_fragment()") and it is fixing fa0f527358bd ("ip: use rb trees for IP frag
queue."). Namely, the following part of fa0f527358bd which unions sk and
ip_defrag_offset fields of struct sk_buff has introduced the vulnerability:

+++ b/include/linux/skbuff.h
@@ -676,13 +676,16 @@ struct sk_buff {
+
+       union {
+               struct sock             *sk;
+               int                     ip_defrag_offset;
+       };

Distributions which has backported this part of fa0f527358bd (which in turn is
a part of the fix of the CVE-2018-5391/FragmentSmack) are vulnerable.

For the remote attack masquerading and forwarding should be configured on a
victim host. Then an attacker can ping an external host from inside a
masqueraded zone, so that the malicious ping is masqueraded and forwarded by a
victim host. This is not default but (we believe) not rare configuration, so
for example, a VM hosting provider could be vulnerable.

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer