oss-sec mailing list archives
Re: CVE-2017-14489: Linux kernel: scsi: nlmsg is not properly parsed in iscsi_if_rx()
From: Vladis Dronov <vdronov () redhat com>
Date: Mon, 25 Sep 2017 07:04:25 -0400 (EDT)
heololo, an additional research shows that the very latest kernels are not showing a crash with a reproducer. git bisect showed that: commit 7f564528a480084e2318cd48caba7aef4a54a77f (between v4.11 and v4.12-rc1) is the first commit a crash is not reproduced with: commit 7f564528a480084e2318cd48caba7aef4a54a77f Author: Steffen Klassert <steffen.klassert () secunet com> Date: Sat Apr 8 20:36:24 2017 +0200 skbuff: Extend gso_type to unsigned int. i.e. this is commit which fixed the crash. checking the code, it looks like struct skb_shared_info's fields were reordered, so a field which overwrite was causing a panic has been moved. nevertheless, the buffer overwrite is still there, so a suggested patch 9923803 (or its later version) is still needed. for a proof compare a flaw description:
ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a new value to skb_shinfo(SKB)->nr_frags by ev->type.
and the commit message:
The remaining two byte hole is moved to the beginning of the structure, this protects us from immediate overwites on out of bound writes to the sk_buff head. Structure layout on x86-64 before the change: struct skb_shared_info { unsigned char nr_frags; __u8 tx_flags; Structure layout on x86-64 after the change: struct skb_shared_info { short unsigned int _unused; unsigned char nr_frags; __u8 tx_flags;
Best regards, Vladis Dronov | Red Hat, Inc. | Product Security Engineer
Current thread:
- CVE-2017-14489: Linux kernel: scsi: nlmsg is not properly parsed in iscsi_if_rx() Vladis Dronov (Sep 22)
- Re: CVE-2017-14489: Linux kernel: scsi: nlmsg is not properly parsed in iscsi_if_rx() Vladis Dronov (Sep 25)