oss-sec mailing list archives
Linux kernel: fixed bug in net/core/flow_dissector.c
From: Alexander Popov <alex.popov () linux com>
Date: Thu, 24 Aug 2017 17:52:45 +0300
Hello, I was asked to investigate a suspicious kernel crash on some Linux server. It is at least a remote DoS (and maybe RCE): Linux is crashed by receiving a single special MPLS packet. I bisected and found out that the bug was introduced in commit b3baa0fbd02a1a9d493d8cb92ae4a4491b9e9d13 Author: Tom Herbert <tom () herbertland com> Date: Thu Jun 4 09:16:46 2015 -0700 And was later fixed it in commit a6e544b0a88b53114bfa5a57e21b7be7a8dfc9d0 Author: Tom Herbert <tom () herbertland com> Date: Tue Sep 1 09:24:26 2015 -0700 So currently the mainline kernel is not affected. However, this fix is obfuscated and looks like unimportant code cleanup from the first glance. IMO that is not good. Moreover, the fix is a part of a branch which breaks the kernel build, so bisecting was not easy. Actually the vulnerability is the usage of uninitialized variables. It is caused by returning true without setting values for n_proto, ip_proto and thoff in __skb_flow_dissect(). Is it worth requesting a CVE ID for that issue? Best regards, Alexander
Current thread:
- Linux kernel: fixed bug in net/core/flow_dissector.c Alexander Popov (Aug 24)
- Re: Linux kernel: fixed bug in net/core/flow_dissector.c Seth Arnold (Aug 24)
- Re: Linux kernel: fixed bug in net/core/flow_dissector.c Alexander Popov (Aug 29)
- Re: Linux kernel: fixed bug in net/core/flow_dissector.c Seth Arnold (Aug 24)