Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 10 Aug 2017 15:25:20 -0700
From: Willem de Bruijn <willemdebruijn.kernel@...il.com>
To: oss-security@...ts.openwall.com
Cc: Andrey Konovalov <andreyknvl@...il.com>
Subject: Linux kernel: CVE-2017-1000111: heap out-of-bounds in AF_PACKET sockets

Hi,

Syzkaller found a race condition in PF_PACKET sockets with setting
socket option PACKET_RESERVE. The bug is analogous to a previous one
with PACKET_VERSION reported as CVE-2016-8655. The same analysis
applies.

The bug requires CAP_NET_RAW to open a packet socket. This is a
privileged operation, unless unprivileged user namespaces are enabled.

The fix has been submitted to netdev as

  packet: fix tp_reserve race in packet_set_ring

  Updates to tp_reserve can race with reads of the field in
  packet_set_ring. Avoid this by holding the socket lock during
  updates in setsockopt PACKET_RESERVE.

  This bug was discovered by syzkaller.

  Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
  Reported-by: Andrey Konovalov <andreyknvl@...gle.com>
  Signed-off-by: Willem de Bruijn <willemb@...gle.com>

  c27927e372f0785f3303e8fad94b85945e2c97b7
  http://patchwork.ozlabs.org/patch/800274/

Timeline:

2017.08.03 - Bug reported to security@...nel.org
2017.08.04 - Bug reported to linux-distros@
2017.08.10 - Patch submitted to netdev
2017.08.10 - Announcement on oss-security@

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ