fix tp_reserve race in packet_set_ring in kernel-net-packet CVE-2017-1000111

Tracked by Jolla (Rejected)

asked 2017-08-16 01:23:15 +0200

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2017-08-16 01:23:15 +0200

lpr gravatar image

heap out-of-bounds in AF_PACKET sockets

Updates to tp_reserve can race with reads of the field in packet_set_ring. Avoid this by holding the socket lock during updates in setsockopt PACKET_RESERVE. This bug was discovered by syzkaller. Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")

Exploitable if non-privileged user namespaces enabled.

Patch is available.

File affected: kernel-adaptation-sbj-3.4.108.20161101.1/net/packet/af_packet.c lines 3140-3150

edit retag flag offensive close delete