fix tp_reserve race in packet_set_ring in kernel-net-packet CVE-2017-1000111
Tracked by Jolla
(Rejected)
asked 2017-08-16 01:23:15 +0200
This post is a wiki. Anyone with karma >75 is welcome to improve it.
heap out-of-bounds in AF_PACKET sockets
Updates to tp_reserve can race with reads of the field in packet_set_ring. Avoid this by holding the socket lock during updates in setsockopt PACKET_RESERVE. This bug was discovered by syzkaller. Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
Exploitable if non-privileged user namespaces enabled.
Patch is available.
File affected: kernel-adaptation-sbj-3.4.108.20161101.1/net/packet/af_packet.c lines 3140-3150