Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 14 Sep 2017 14:45:44 +0200
From: Thomas Jarosch <thomas.jarosch@...ra2net.com>
To: oss-security@...ts.openwall.com
Cc: Andrey Konovalov <andreyknvl@...il.com>
Subject: Re: Re: Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch

Hi Andrey,

On Sunday, 13 August 2017 18:21:55 CEST Andrey Konovalov wrote:
> ### Exploitation
> 
> The bug can be exploited by an unprivileged user if:
> 
> 1. User can set up an interface with UFO enabled and MTU < 65535 or
> such interface is already present in the system. The former is
> possible from inside a user namespace.

the aftermath of this bug is that UFO is scheduled
to be removed in the kernel. According to David Miller
it's too much code complexity for little gain.
(https://www.spinics.net/lists/netdev/msg443815.html)

An easy security fix for old kernels is therefore to prevent UFO
from becoming enabled. This is done by masking the UFO feature
inside net/core/dev.c:netdev_fix_features(), which gets called
during register_netdevice() and also when someone tries to
re-enable UFO f.e. with ethtool later on.

I'm sharing my "one line" patch here in case it's useful to someone
else stuck on old kernel versions, f.e. Android phones.
Also please correct me if I'm wrong on this fix.

Cheers,
Thomas

------------------------
Disable UFO support in the kernel. Prevents CVE-2017-1000112.

Upstream UFO removal:
https://www.spinics.net/lists/netdev/msg443815.html

Signed-off-by: Thomas Jarosch <thomas.jarosch@...ra2net.com>
diff -u -r -p linux-3.14/net/core/dev.c linux.disable_ufo/net/core/dev.c
--- linux-3.14/net/core/dev.c	2014-03-31 05:40:15.000000000 +0200
+++ linux.disable_ufo/net/core/dev.c	2017-09-14 12:29:01.958899810 +0200
@@ -5658,23 +5658,8 @@ static netdev_features_t netdev_fix_feat
 		features &= ~NETIF_F_GSO;
 	}
 
-	/* UFO needs SG and checksumming */
-	if (features & NETIF_F_UFO) {
-		/* maybe split UFO into V4 and V6? */
-		if (!((features & NETIF_F_GEN_CSUM) ||
-		    (features & (NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM))
-			    == (NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM))) {
-			netdev_dbg(dev,
-				"Dropping NETIF_F_UFO since no checksum offload features.\n");
-			features &= ~NETIF_F_UFO;
-		}
-
-		if (!(features & NETIF_F_SG)) {
-			netdev_dbg(dev,
-				"Dropping NETIF_F_UFO since no NETIF_F_SG feature.\n");
-			features &= ~NETIF_F_UFO;
-		}
-	}
+	/* Disable UFO to prevent CVE-2017-1000112. UFO support is removed upstream */
+	features &= ~NETIF_F_UFO;
 
 	return features;
 }

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.