Date: Thu, 10 Mar 2016 03:16:36 -0800 From: Steve Beattie <steve@...w.org> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: CVE Request: Linux Kernel: Linux netfilter IPT_SO_SET_REPLACE memory corruption Hi, On Thu, Mar 10, 2016 at 10:25:49AM +0100, Marcus Meissner wrote: > >>From the P0 team at Google: > > https://code.google.com/p/google-security-research/issues/detail?id=758 > > A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE > ioctl in the netfilter code for iptables support. This ioctl is can be > triggered by an unprivileged user on PF_INET sockets when unprivileged > user namespaces are available (CONFIG_USER_NS=y). Android does not > enable this option, but desktop/server distributions and Chrome OS > will commonly enable this to allow for containers support or sandboxing. > > ... > > I think this needs a CVE. It likely needs two, one for the issue above, which has been proposed to be addressed by http://marc.info/?l=netfilter-devel&m=145757134822741&w=2 and one for the unsigned integer overflow on 32bit kernels mentioned as an aside at the end of the original report. Proposed fix is http://marc.info/?l=netfilter-devel&m=145757136822750&w=2 Thanks. -- Steve Beattie <sbeattie@...ntu.com> http://NxNW.org/~steve/ [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ