fix tp_reserve race in packet_set_ring in kernel-net-packet CVE-2017-1000111

Tracked by Jolla

asked 2017-08-16 01:23:15 +0300

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2017-08-16 01:23:15 +0300

lpr gravatar image

heap out-of-bounds in AF_PACKET sockets

Updates to tp_reserve can race with reads of the field in packet_set_ring. Avoid this by holding the socket lock during updates in setsockopt PACKET_RESERVE. This bug was discovered by syzkaller. Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")

Exploitable if non-privileged user namespaces enabled.

Patch is available.

File affected: kernel-adaptation-sbj- lines 3140-3150

edit retag flag offensive close delete