Bug 1193167 (CVE-2021-4028)

Summary: VUL-0: CVE-2021-4028: kernel-source,kernel-source-rt,kernel-source-azure: kernel: use-after-free in RDMA listen()
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: REOPENED --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: bpetkov, mbenes, meissner, smash_bz, tbogendoerfer
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/315947/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-4028:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1193529    

Description Thomas Leroy 2021-11-29 10:21:13 UTC
rh#2027201

A flaw in the Linux kernels implementation of RDMA communications manager listener code allowed an attacker with local access to setup socket to listen on a high port allowing for a list element to be used after free.  Given the ability to execute code a local attacker could leverage this use-after-free to crash the system or possibly escalate privileges on the system.

Upstream commit:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bc0bdc5afaa740d782fbf936aaeebd65e5c2921d

Vulnerable commit:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=732d41c545bb

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2027201
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4028
Comment 1 Thomas Leroy 2021-11-29 10:25:00 UTC
The commit introducing the bug is contained on the following branches:
- stable
- SLE15-SP3
- SLE15-SP4

These branches also contain the fixing commit (fix introduced by bsc#1181147). I think none of the branches are affected.
Comment 3 Thomas Bogendoerfer 2021-12-16 13:34:08 UTC
(In reply to Thomas Leroy from comment #1)
> The commit introducing the bug is contained on the following branches:
> - stable
> - SLE15-SP3
> - SLE15-SP4
> 
> These branches also contain the fixing commit (fix introduced by
> bsc#1181147). I think none of the branches are affected.

added CVE number to 

SLE15-SP3
SLE15-SP4

all other branches are not affected.
Comment 4 Thomas Leroy 2021-12-17 13:09:25 UTC
Thanks Thomas for confirming it. Closing since we are not affected.
Comment 5 Miroslav BeneŇ° 2022-04-08 13:43:49 UTC
I cannot see the CVE reference (at least) in SLE15-SP3 log. Was it forgotten or am I missing something? People asked why there is a live patch available but no kernel patch.
Comment 6 Marcus Meissner 2022-04-08 14:03:14 UTC
reopen to clarify
Comment 7 Thomas Bogendoerfer 2022-04-08 14:56:41 UTC
No idea why/how I missed SLE15-SP3. I've pushed an update to my for-next branch
Comment 8 Thomas Bogendoerfer 2022-04-25 16:23:26 UTC
CVE reference is now present