SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (Linux)  >   Linux Kernel Vendors:   kernel.org
Linux Kernel packet_set_ring() Race Condition Lets Local Users Obtain Root Privileges
SecurityTracker Alert ID:  1039132
SecurityTracker URL:  http://securitytracker.com/id/1039132
CVE Reference:   CVE-2017-1000111   (Links to External Site)
Date:  Aug 11 2017
Impact:   Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in the Linux kernel. A local user can obtain root privileges on the target system.

A local user with CAP_NET_RAW permissions that can create PF_PACKET sockets can trigger a race condition and use-after-free memory error in packet_set_ring() to execute arbitrary code on the target system with root privileges.

The vendor was notified on August 3, 2017.

Impact:   A local user can obtain root privileges on the target system.
Solution:   The vendor has issued a source code fix, available at:

https://github.com/torvalds/linux/commit/c27927e372f0785f3303e8fad94b85945e2c97b7

Vendor URL:  www.kernel.org/ (Links to External Site)
Cause:   Access control error, State error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 15 2017 (Ubuntu Issues Fix) Linux Kernel packet_set_ring() Race Condition Lets Local Users Obtain Root Privileges
Ubuntu has issued a fix for Ubuntu Linux 16.04 LTS.
Aug 16 2017 (Ubuntu Issues Fix) Linux Kernel packet_set_ring() Race Condition Lets Local Users Obtain Root Privileges
Ubuntu has issued a fix for Ubuntu Linux 17.04.



 Source Message Contents

Date:  Thu, 10 Aug 2017 15:25:20 -0700
Subject:  [oss-security] Linux kernel: CVE-2017-1000111: heap out-of-bounds in AF_PACKET sockets

Hi,

Syzkaller found a race condition in PF_PACKET sockets with setting
socket option PACKET_RESERVE. The bug is analogous to a previous one
with PACKET_VERSION reported as CVE-2016-8655. The same analysis
applies.

The bug requires CAP_NET_RAW to open a packet socket. This is a
privileged operation, unless unprivileged user namespaces are enabled.

The fix has been submitted to netdev as

  packet: fix tp_reserve race in packet_set_ring

  Updates to tp_reserve can race with reads of the field in
  packet_set_ring. Avoid this by holding the socket lock during
  updates in setsockopt PACKET_RESERVE.

  This bug was discovered by syzkaller.

  Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
  Reported-by: Andrey Konovalov <andreyknvl@google.com>
  Signed-off-by: Willem de Bruijn <willemb@google.com>

  c27927e372f0785f3303e8fad94b85945e2c97b7
  http://patchwork.ozlabs.org/patch/800274/

Timeline:

2017.08.03 - Bug reported to security@kernel.org
2017.08.04 - Bug reported to linux-distros@
2017.08.10 - Patch submitted to netdev
2017.08.10 - Announcement on oss-security@
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC