Date: Thu, 10 Aug 2017 15:25:20 -0700 From: Willem de Bruijn <willemdebruijn.kernel@...il.com> To: oss-security@...ts.openwall.com Cc: Andrey Konovalov <andreyknvl@...il.com> Subject: Linux kernel: CVE-2017-1000111: heap out-of-bounds in AF_PACKET sockets Hi, Syzkaller found a race condition in PF_PACKET sockets with setting socket option PACKET_RESERVE. The bug is analogous to a previous one with PACKET_VERSION reported as CVE-2016-8655. The same analysis applies. The bug requires CAP_NET_RAW to open a packet socket. This is a privileged operation, unless unprivileged user namespaces are enabled. The fix has been submitted to netdev as packet: fix tp_reserve race in packet_set_ring Updates to tp_reserve can race with reads of the field in packet_set_ring. Avoid this by holding the socket lock during updates in setsockopt PACKET_RESERVE. This bug was discovered by syzkaller. Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") Reported-by: Andrey Konovalov <andreyknvl@...gle.com> Signed-off-by: Willem de Bruijn <willemb@...gle.com> c27927e372f0785f3303e8fad94b85945e2c97b7 http://patchwork.ozlabs.org/patch/800274/ Timeline: 2017.08.03 - Bug reported to security@...nel.org 2017.08.04 - Bug reported to linux-distros@ 2017.08.10 - Patch submitted to netdev 2017.08.10 - Announcement on oss-security@
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ