Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 10 Aug 2017 15:25:20 -0700
From: Willem de Bruijn <>
Cc: Andrey Konovalov <>
Subject: Linux kernel: CVE-2017-1000111: heap out-of-bounds in AF_PACKET sockets


Syzkaller found a race condition in PF_PACKET sockets with setting
socket option PACKET_RESERVE. The bug is analogous to a previous one
with PACKET_VERSION reported as CVE-2016-8655. The same analysis

The bug requires CAP_NET_RAW to open a packet socket. This is a
privileged operation, unless unprivileged user namespaces are enabled.

The fix has been submitted to netdev as

  packet: fix tp_reserve race in packet_set_ring

  Updates to tp_reserve can race with reads of the field in
  packet_set_ring. Avoid this by holding the socket lock during
  updates in setsockopt PACKET_RESERVE.

  This bug was discovered by syzkaller.

  Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
  Reported-by: Andrey Konovalov <>
  Signed-off-by: Willem de Bruijn <>



2017.08.03 - Bug reported to
2017.08.04 - Bug reported to linux-distros@
2017.08.10 - Patch submitted to netdev
2017.08.10 - Announcement on oss-security@

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ