Revision history [back]
 | 1 | initial version | posted 2018-01-16 10:12:50 +0200  |
Fix aborted xfrm policy dump crash in kernel-net-ipsec CVE-2017-16939
The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages. (Score: 7.8high / local)
Patch is available.
File affected: kernel-adaptation-sbj-3.4.108.20161101.1/net/xfrm/xfrm_user.c lines 1520-1525
So the patch should look like:
@@ -1520,7 +1520,8 @@ static int xfrm_dump_policy_done(struct netlink_callback *cb)
{
struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
- xfrm_policy_walk_done(walk);
+ if (cb->args[0])
+ xfrm_policy_walk_done(walk);
return 0;
}
| | 2 | retagged |
Fix aborted xfrm policy dump crash in kernel-net-ipsec CVE-2017-16939
The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages. (Score: 7.8high / local)
Patch is available.
File affected: kernel-adaptation-sbj-3.4.108.20161101.1/net/xfrm/xfrm_user.c lines 1520-1525
So the patch should look like:
@@ -1520,7 +1520,8 @@ static int xfrm_dump_policy_done(struct netlink_callback *cb)
{
struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
- xfrm_policy_walk_done(walk);
+ if (cb->args[0])
+ xfrm_policy_walk_done(walk);
return 0;
}