fix use after free in tcp_xmit_retransmit_queue() in kernel-net-tcp CVE-2016-6828 critical

Tracked by Jolla (In progress)

asked 2017-05-19 11:52:41 +0200

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2017-05-19 11:52:41 +0200

lpr gravatar image

Description

The tcp_check_send_head function in include/net/tcp.h in the Linux kernel before 4.7.5 does not properly maintain certain SACK state after a failed data copy, which allows local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option. CVSSv3: 5.5 medium (attack range: local)

Patch is available.

File affected: kernel-adaptation-sbj-3.4.108.20161101.1/include/net/tcp.h lines 1297-1302

edit retag flag offensive close delete

Comments

@lpr are you a kernel expert or a security expert ? you give a huge list of system leak since several months. i'm impressed

cemoi71 ( 2017-05-19 12:17:23 +0200 )edit

@cemoi71 no, I'm not. I'm just looking around on https://source.android.com/security/bulletin/
Jolla seems to be too small to maintain a now unmaintained kernel (3.4) so they need some help. Kernel-sources are available so everyone should be encouraged to look into and inform them if anything found...

lpr ( 2017-05-19 12:56:19 +0200 )edit

i find nice that someone bring it on top

cemoi71 ( 2017-05-22 12:28:39 +0200 )edit