Ask / Submit

Revision history [back]

click to hide/show revision 1
initial version

posted 2017-08-16 01:23:15 +0200

fix tp_reserve race in packet_set_ring in kernel-net-packet CVE-2017-1000111

heap out-of-bounds in AF_PACKET sockets

Updates to tp_reserve can race with reads of the field in packet_set_ring. Avoid this by holding the socket lock during updates in setsockopt PACKET_RESERVE. This bug was discovered by syzkaller. Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")

Exploitable if non-privileged user namespaces enabled.

Patch is available.

File affected: kernel-adaptation-sbj-3.4.108.20161101.1/net/packet/af_packet.c lines 3140-3150