oss-sec mailing list archives

Re: Re: Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch

From: Thomas Jarosch <thomas.jarosch () intra2net com>
Date: Thu, 14 Sep 2017 14:45:44 +0200

Hi Andrey,

On Sunday, 13 August 2017 18:21:55 CEST Andrey Konovalov wrote:

### Exploitation

The bug can be exploited by an unprivileged user if:

1. User can set up an interface with UFO enabled and MTU < 65535 or
such interface is already present in the system. The former is
possible from inside a user namespace.


the aftermath of this bug is that UFO is scheduled
to be removed in the kernel. According to David Miller
it's too much code complexity for little gain.
(https://www.spinics.net/lists/netdev/msg443815.html)

An easy security fix for old kernels is therefore to prevent UFO
from becoming enabled. This is done by masking the UFO feature
inside net/core/dev.c:netdev_fix_features(), which gets called
during register_netdevice() and also when someone tries to
re-enable UFO f.e. with ethtool later on.

I'm sharing my "one line" patch here in case it's useful to someone
else stuck on old kernel versions, f.e. Android phones.
Also please correct me if I'm wrong on this fix.

Cheers,
Thomas

------------------------
Disable UFO support in the kernel. Prevents CVE-2017-1000112.

Upstream UFO removal:
https://www.spinics.net/lists/netdev/msg443815.html

Signed-off-by: Thomas Jarosch <thomas.jarosch () intra2net com>
diff -u -r -p linux-3.14/net/core/dev.c linux.disable_ufo/net/core/dev.c
--- linux-3.14/net/core/dev.c   2014-03-31 05:40:15.000000000 +0200
+++ linux.disable_ufo/net/core/dev.c    2017-09-14 12:29:01.958899810 +0200
@@ -5658,23 +5658,8 @@ static netdev_features_t netdev_fix_feat
                features &= ~NETIF_F_GSO;
        }
 
-       /* UFO needs SG and checksumming */
-       if (features & NETIF_F_UFO) {
-               /* maybe split UFO into V4 and V6? */
-               if (!((features & NETIF_F_GEN_CSUM) ||
-                   (features & (NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM))
-                           == (NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM))) {
-                       netdev_dbg(dev,
-                               "Dropping NETIF_F_UFO since no checksum offload features.\n");
-                       features &= ~NETIF_F_UFO;
-               }
-
-               if (!(features & NETIF_F_SG)) {
-                       netdev_dbg(dev,
-                               "Dropping NETIF_F_UFO since no NETIF_F_SG feature.\n");
-                       features &= ~NETIF_F_UFO;
-               }
-       }
+       /* Disable UFO to prevent CVE-2017-1000112. UFO support is removed upstream */
+       features &= ~NETIF_F_UFO;
 
        return features;
 }

Current thread:

Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch Andrey Konovalov (Aug 10)
- Re: Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch Andrey Konovalov (Aug 13)
  - Re: Re: Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch Solar Designer (Aug 13)
  - Re: Re: Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch Thomas Jarosch (Sep 14)