Ask / Submit

Revision history [back]

click to hide/show revision 1
initial version

posted 2017-08-16 01:49:33 +0200

consistently apply ufo or fragmentation in kernel-net-udp CVE-2017-1000112

Exploitable memory corruption due to UFO to non-UFO path switch

When iteratively building a UDP datagram with MSG_MORE and that datagram exceeds MTU, consistently choose UFO or fragmentation. Once skb_is_gso, always apply ufo. Conversely, once a datagram is split across multiple skbs, do not consider ufo. Sendpage already maintains the first invariant, only add the second. IPv6 does not have a sendpage implementation to modify. A gso skb must have a partial checksum, do not follow sk_no_check_tx in udp_send_skb. Found by syzkaller. Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach")

Exploitable if unprivileged user namespaces are enabled.

Upstream-Patch is available.

Files affected: kernel-adaptation-sbj-3.4.108.20161101.1/net/ipv4/ip_output.c lines 845-853 (diffs in if() ); 1173-1178 (diffs in 1175-sbj and 1179-sbj )

kernel-adaptation-sbj-3.4.108.20161101.1/ipv4/udp.c lines 736-742 (diff sk->sk_no_check_tx / sk->sk_no_check and UDP_CSUM_NOXMIT)

kernel-adaptation-sbj-3.4.108.20161101.1/net/ipv6/ip6_output.c lines 1338-1345 (diffs in if() and (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk) )

consistently apply ufo or fragmentation in kernel-net-udp CVE-2017-1000112

Exploitable memory corruption due to UFO to non-UFO path switch

When iteratively building a UDP datagram with MSG_MORE and that datagram exceeds MTU, consistently choose UFO or fragmentation. Once skb_is_gso, always apply ufo. Conversely, once a datagram is split across multiple skbs, do not consider ufo. Sendpage already maintains the first invariant, only add the second. IPv6 does not have a sendpage implementation to modify. A gso skb must have a partial checksum, do not follow sk_no_check_tx in udp_send_skb. Found by syzkaller. Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach")

Exploitable if unprivileged user namespaces are enabled.

Upstream-Patch is available.

Files affected: kernel-adaptation-sbj-3.4.108.20161101.1/net/ipv4/ip_output.c lines 845-853 (diffs in if() ); 1173-1178 (diffs in 1175-sbj and 1179-sbj )

kernel-adaptation-sbj-3.4.108.20161101.1/ipv4/udp.c lines 736-742 (diff sk->sk_no_check_tx / sk->sk_no_check and UDP_CSUM_NOXMIT)

kernel-adaptation-sbj-3.4.108.20161101.1/net/ipv6/ip6_output.c lines 1338-1345 (diffs in if() and (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk) )