|
Message-ID: <466141472.14007261.1506337465946.JavaMail.zimbra@redhat.com> Date: Mon, 25 Sep 2017 07:04:25 -0400 (EDT) From: Vladis Dronov <vdronov@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2017-14489: Linux kernel: scsi: nlmsg is not properly parsed in iscsi_if_rx() heololo, an additional research shows that the very latest kernels are not showing a crash with a reproducer. git bisect showed that: commit 7f564528a480084e2318cd48caba7aef4a54a77f (between v4.11 and v4.12-rc1) is the first commit a crash is not reproduced with: commit 7f564528a480084e2318cd48caba7aef4a54a77f Author: Steffen Klassert <steffen.klassert@...unet.com> Date: Sat Apr 8 20:36:24 2017 +0200 skbuff: Extend gso_type to unsigned int. i.e. this is commit which fixed the crash. checking the code, it looks like struct skb_shared_info's fields were reordered, so a field which overwrite was causing a panic has been moved. nevertheless, the buffer overwrite is still there, so a suggested patch 9923803 (or its later version) is still needed. for a proof compare a flaw description: > ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a > new value to skb_shinfo(SKB)->nr_frags by ev->type. and the commit message: > The remaining two byte hole is moved to the > beginning of the structure, this protects us > from immediate overwites on out of bound writes > to the sk_buff head. > > Structure layout on x86-64 before the change: > > struct skb_shared_info { > unsigned char nr_frags; > __u8 tx_flags; > > Structure layout on x86-64 after the change: > > struct skb_shared_info { > short unsigned int _unused; > unsigned char nr_frags; > __u8 tx_flags; Best regards, Vladis Dronov | Red Hat, Inc. | Product Security Engineer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.