Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 14 Feb 2017 09:14:24 -0500 (EST)
From: Vladis Dronov <vdronov@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Linux kernel: Reachable BUG_ON from userspace in
 sctp_wait_for_sndbuf()

CVE-2017-5986 was assigned, thanks.

> [Suggested description]
> It was reported that with Linux kernel, earlier than version
> v4.10-rc8, an application may trigger a BUG_ON() in
> sctp_wait_for_sndbuf() if the socket TX buffer is full, a thread is
> waiting on it to queue more data, and meanwhile another thread peels
> off the association being used by the first thread.
>
> ------------------------------------------
>
> [Additional Information]
> A panic (BUG_ON()) is triggerable by a random user in userspace. There is no reproducer, but triggering it is easy:
> - bind&list a socket
> - connect to it (may use localhost)
> - accept the association
> - create a second thread
> - push data until sendmsg returns AGAIN
> - call a blocking sendmsg()
> - (2nd thread) do peel off operation
> - read some data
> - panic
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> CWE-617 - Reachable Assertion - http://cwe.mitre.org/data/definitions/617.html
>
> ------------------------------------------
>
> [Vendor of Product]
> kernel.org: Linux kernel
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Linux kernel - fixed in v4.10-rc8
>
> ------------------------------------------
>
> [Affected Component]
> The Linux kernel, file net/sctp/socket.c, function sctp_wait_for_sndbuf()
>
> ------------------------------------------
>
> [Attack Type]
> Local
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> To exploit vulnerability a certain code should be run from a
> non-privileged user and a certain race condition in the kernel code
> should be hit
>
> ------------------------------------------
>
> [Reference]
> https://bugzilla.redhat.com/show_bug.cgi?id=1420276
> https://lkml.org/lkml/2017/1/30/238
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2dcab598484185dea7ec22219c76dcdd59e3cb90
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Alexander Popov <alex.popov@...ux.com>
>
> Use CVE-2017-5986.
> --- 
> CVE Assignment Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ