Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 14 Aug 2017 00:07:02 +0200
From: Solar Designer <>
Cc: Andrey Konovalov <>,, Dmitry Vyukov <>,
	Kostya Serebryany <>
Subject: Re: Re: Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch

On Sun, Aug 13, 2017 at 06:21:55PM +0200, Andrey Konovalov wrote:
> ### Exploitation
> The bug can be exploited by an unprivileged user if:
> 1. User can set up an interface with UFO enabled and MTU < 65535 or
> such interface is already present in the system. The former is
> possible from inside a user namespace.
> 2. User can disable the NETIF_F_UFO interface feature or set the
> SO_NO_CHECK socket option. The former requires CAP_NET_ADMIN. The
> latter is only possible after 40ba330227ad ("udp: disallow UFO for
> sockets with SO_NO_CHECK option") from Jan 11 2016. Both are possible
> from inside a user namespace.
> In particular, the bug can be exploited by an unprivileged user if
> unprivileged user namespaces are available.
> Below is a link to a proof-of-concept exploit, that gets root on a
> range of Ubuntu kernels. The exploit triggers an out-of-bounds write
> on a socket buffer and overwrites
> skb_shared_info.destructor_arg->callback with a pointer to shellcode.
> The exploit includes a SMEP and KASLR bypasses, but no SMAP bypass.
> Link:

Nice collection of Linux kernel exploits you got there:

Also relevant:

Still, for archival purposes please attach the actual exploits to your
oss-security postings as well.  I've attached your poc.c for this bug.


View attachment "poc.c" of type "text/x-c" (22887 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ