oss-sec mailing list archives

Re: CVE-2017-7308: Linux kernel: integer overflow in packet_set_ring

From: Solar Designer <solar () openwall com>
Date: Sat, 1 Apr 2017 22:44:57 +0200

To Red Hat folks:

On Fri, Mar 31, 2017 at 07:20:20PM +0200, Andrey Konovalov wrote:

On Fri, Mar 31, 2017 at 2:03 PM, Andrey Konovalov <andreyknvl () google com> wrote:

CVE-2017-7308 [1] was assigned to the following issue:

The packet_set_ring function in net/packet/af_packet.c in the Linux
kernel through 4.10.6 does not properly validate certain block-size
data, which allows local users to cause a denial of service (overflow)
or possibly have unspecified other impact via crafted system calls.

The fix is sent upstream [2].


Update: the fix actually consists of 3 patches:

https://patchwork.ozlabs.org/patch/744811/
https://patchwork.ozlabs.org/patch/744813/
https://patchwork.ozlabs.org/patch/744812/

[1] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7308

[2] https://patchwork.ozlabs.org/patch/744811/


Red Hat currently says all RHEL starting with RHEL5 are affected:

https://access.redhat.com/security/cve/cve-2017-7308

However, the corresponding Bugzilla entry has no mention of that:

https://bugzilla.redhat.com/show_bug.cgi?id=1437404

So is it just a better-safe-than-sorry default to list products as
affected until known otherwise?  If so, maybe Unknown would be better?

RHEL5 doesn't yet include TPACKET_V3.  I did not check RHEL6.

https://github.com/torvalds/linux/commit/f6fb8f100b807378fda19e83e5ac6828b638603a

Alexander

Current thread:

Re: CVE-2017-7308: Linux kernel: integer overflow in packet_set_ring Solar Designer (Apr 01)
- Re: CVE-2017-7308: Linux kernel: integer overflow in packet_set_ring Martin Prpic (Apr 03)
- <Possible follow-ups>
- Re: CVE-2017-7308: Linux kernel: integer overflow in packet_set_ring Andrey Konovalov (May 10)