Fix aborted xfrm policy dump crash in kernel-net-ipsec CVE-2017-16939

Tracked by Jolla

asked 2018-01-16 10:12:50 +0300

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2018-01-16 10:13:18 +0300

lpr gravatar image

The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages. (Score: 7.8high / local)

Patch is available.

File affected: kernel-adaptation-sbj-3.4.108.20161101.1/net/xfrm/xfrm_user.c lines 1520-1525

So the patch should look like:

@@ -1520,7 +1520,8 @@ static int xfrm_dump_policy_done(struct netlink_callback *cb)
 {
    struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];

-   xfrm_policy_walk_done(walk);
+   if (cb->args[0])
+       xfrm_policy_walk_done(walk);
    return 0;
 }
edit retag flag offensive close delete