consistently apply ufo or fragmentation in kernel-net-udp CVE-2017-1000112

Tracked by Jolla (In release)

asked 2017-08-16 01:49:33 +0200

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2017-08-16 01:49:48 +0200

lpr gravatar image

Exploitable memory corruption due to UFO to non-UFO path switch

When iteratively building a UDP datagram with MSG_MORE and that datagram exceeds MTU, consistently choose UFO or fragmentation. Once skb_is_gso, always apply ufo. Conversely, once a datagram is split across multiple skbs, do not consider ufo. Sendpage already maintains the first invariant, only add the second. IPv6 does not have a sendpage implementation to modify. A gso skb must have a partial checksum, do not follow sk_no_check_tx in udp_send_skb. Found by syzkaller. Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach")

Exploitable if unprivileged user namespaces are enabled.

Upstream-Patch is available.

Files affected: kernel-adaptation-sbj-3.4.108.20161101.1/net/ipv4/ip_output.c lines 845-853 (diffs in if() ); 1173-1178 (diffs in 1175-sbj and 1179-sbj )

kernel-adaptation-sbj-3.4.108.20161101.1/ipv4/udp.c lines 736-742 (diff sk->sk_no_check_tx / sk->sk_no_check and UDP_CSUM_NOXMIT)

kernel-adaptation-sbj-3.4.108.20161101.1/net/ipv6/ip6_output.c lines 1338-1345 (diffs in if() and (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk) )

edit retag flag offensive close delete

Comments

1

hm, it is not patched in SFOS 3.0.1.11 for Jolla1. Hopefully in next release...

lpr ( 2019-01-09 18:30:10 +0200 )edit