oss-sec mailing list archives

Re: CVE Request: Linux Kernel: Linux netfilter IPT_SO_SET_REPLACE memory corruption

From: Steve Beattie <steve () nxnw org>
Date: Thu, 10 Mar 2016 03:16:36 -0800

Hi,

On Thu, Mar 10, 2016 at 10:25:49AM +0100, Marcus Meissner wrote:

From the P0 team at Google:


https://code.google.com/p/google-security-research/issues/detail?id=758

A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
ioctl in the netfilter code for iptables support. This ioctl is can be
triggered by an unprivileged user on PF_INET sockets when unprivileged
user namespaces are available (CONFIG_USER_NS=y). Android does not
enable this option, but desktop/server distributions and Chrome OS
will commonly enable this to allow for containers support or sandboxing.

...

I think this needs a CVE.


It likely needs two, one for the issue above,
which has been proposed to be addressed by
http://marc.info/?l=netfilter-devel&m=145757134822741&w=2

and one for the unsigned integer overflow on 32bit kernels
mentioned as an aside at the end of the original report. Proposed
fix is http://marc.info/?l=netfilter-devel&m=145757136822750&w=2

Thanks.
-- 
Steve Beattie
<sbeattie () ubuntu com>
http://NxNW.org/~steve/

Attachment: signature.asc
Description:

Current thread:

CVE Request: Linux Kernel: Linux netfilter IPT_SO_SET_REPLACE memory corruption Marcus Meissner (Mar 10)
- Re: CVE Request: Linux Kernel: Linux netfilter IPT_SO_SET_REPLACE memory corruption Steve Beattie (Mar 10)
- Re: CVE Request: Linux Kernel: Linux netfilter IPT_SO_SET_REPLACE memory corruption cve-assign (Mar 13)