oss-sec mailing list archives
Re: Re: Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch
From: Thomas Jarosch <thomas.jarosch () intra2net com>
Date: Thu, 14 Sep 2017 14:45:44 +0200
Hi Andrey, On Sunday, 13 August 2017 18:21:55 CEST Andrey Konovalov wrote:
### Exploitation The bug can be exploited by an unprivileged user if: 1. User can set up an interface with UFO enabled and MTU < 65535 or such interface is already present in the system. The former is possible from inside a user namespace.
the aftermath of this bug is that UFO is scheduled to be removed in the kernel. According to David Miller it's too much code complexity for little gain. (https://www.spinics.net/lists/netdev/msg443815.html) An easy security fix for old kernels is therefore to prevent UFO from becoming enabled. This is done by masking the UFO feature inside net/core/dev.c:netdev_fix_features(), which gets called during register_netdevice() and also when someone tries to re-enable UFO f.e. with ethtool later on. I'm sharing my "one line" patch here in case it's useful to someone else stuck on old kernel versions, f.e. Android phones. Also please correct me if I'm wrong on this fix. Cheers, Thomas ------------------------ Disable UFO support in the kernel. Prevents CVE-2017-1000112. Upstream UFO removal: https://www.spinics.net/lists/netdev/msg443815.html Signed-off-by: Thomas Jarosch <thomas.jarosch () intra2net com> diff -u -r -p linux-3.14/net/core/dev.c linux.disable_ufo/net/core/dev.c --- linux-3.14/net/core/dev.c 2014-03-31 05:40:15.000000000 +0200 +++ linux.disable_ufo/net/core/dev.c 2017-09-14 12:29:01.958899810 +0200 @@ -5658,23 +5658,8 @@ static netdev_features_t netdev_fix_feat features &= ~NETIF_F_GSO; } - /* UFO needs SG and checksumming */ - if (features & NETIF_F_UFO) { - /* maybe split UFO into V4 and V6? */ - if (!((features & NETIF_F_GEN_CSUM) || - (features & (NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM)) - == (NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM))) { - netdev_dbg(dev, - "Dropping NETIF_F_UFO since no checksum offload features.\n"); - features &= ~NETIF_F_UFO; - } - - if (!(features & NETIF_F_SG)) { - netdev_dbg(dev, - "Dropping NETIF_F_UFO since no NETIF_F_SG feature.\n"); - features &= ~NETIF_F_UFO; - } - } + /* Disable UFO to prevent CVE-2017-1000112. UFO support is removed upstream */ + features &= ~NETIF_F_UFO; return features; }
Current thread:
- Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch Andrey Konovalov (Aug 10)
- Re: Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch Andrey Konovalov (Aug 13)
- Re: Re: Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch Solar Designer (Aug 13)
- Re: Re: Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch Thomas Jarosch (Sep 14)
- Re: Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch Andrey Konovalov (Aug 13)