oss-sec mailing list archives

Re: CVE-2017-7308: Linux kernel: integer overflow in packet_set_ring

From: Andrey Konovalov <andreyknvl () google com>
Date: Wed, 10 May 2017 18:37:42 +0200

On Fri, Mar 31, 2017 at 7:20 PM, Andrey Konovalov <andreyknvl () google com> wrote:

On Fri, Mar 31, 2017 at 2:03 PM, Andrey Konovalov <andreyknvl () google com> wrote:

Hi,

CVE-2017-7308 [1] was assigned to the following issue:

The packet_set_ring function in net/packet/af_packet.c in the Linux
kernel through 4.10.6 does not properly validate certain block-size
data, which allows local users to cause a denial of service (overflow)
or possibly have unspecified other impact via crafted system calls.

The fix is sent upstream [2].


Update: the fix actually consists of 3 patches:

https://patchwork.ozlabs.org/patch/744811/
https://patchwork.ozlabs.org/patch/744813/
https://patchwork.ozlabs.org/patch/744812/


Another update: this turned out to be exploitable.

Details are here:
https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html


[1] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7308

[2] https://patchwork.ozlabs.org/patch/744811/

Current thread:

Re: CVE-2017-7308: Linux kernel: integer overflow in packet_set_ring Solar Designer (Apr 01)
- Re: CVE-2017-7308: Linux kernel: integer overflow in packet_set_ring Martin Prpic (Apr 03)
- <Possible follow-ups>
- Re: CVE-2017-7308: Linux kernel: integer overflow in packet_set_ring Andrey Konovalov (May 10)