Fix aborted xfrm policy dump crash in kernel-net-ipsec CVE-2017-16939
Tracked by Jolla
(Rejected)
asked 2018-01-16 10:12:50 +0200
This post is a wiki. Anyone with karma >75 is welcome to improve it.
The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages. (Score: 7.8high / local)
Patch is available.
File affected: kernel-adaptation-sbj-3.4.108.20161101.1/net/xfrm/xfrm_user.c lines 1520-1525
So the patch should look like:
@@ -1520,7 +1520,8 @@ static int xfrm_dump_policy_done(struct netlink_callback *cb)
{
struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
- xfrm_policy_walk_done(walk);
+ if (cb->args[0])
+ xfrm_policy_walk_done(walk);
return 0;
}