|
Message-ID: <1205294999.1101309.1503488822700.JavaMail.zimbra@redhat.com> Date: Wed, 23 Aug 2017 07:47:02 -0400 (EDT) From: Vladis Dronov <vdronov@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2017-7558: Linux kernel: sctp: out-of-bounds read in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() Heololo, A kernel data leak due to an out-of-bound read was found in Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since v4.7-rc1 upto v4.13-rc6 including. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result up to 100 bytes of the slab data could be leaked to a userspace. Details: it is leaking exactly 100 bytes of a kernel slab whenever we answer to a netlink request of type INET_DIAG_LOCALS or INET_DIAG_PEERS for a SCTP socket (e.g. sent by the 'ss' tool included in the 'iproute2' package with 'ss -Si' or 'ss -Sm'). A researcher of this flaw and a patch author is Stefano Brivio of the Red Hat. References: https://bugzilla.redhat.com/show_bug.cgi?id=1480266 https://marc.info/?t=150348787500002&r=1&w=2 Suggested patch: https://marc.info/?l=linux-netdev&m=150348777122761&w=2 Best regards, Vladis Dronov | Red Hat, Inc. | Product Security Engineer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.