Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 23 Aug 2017 07:47:02 -0400 (EDT)
From: Vladis Dronov <vdronov@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2017-7558: Linux kernel: sctp: out-of-bounds read in
 inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info()

Heololo,

A kernel data leak due to an out-of-bound read was found in Linux kernel in
inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present
since v4.7-rc1 upto v4.13-rc6 including. A data leak happens when these functions
fill in sockaddr data structures used to export socket's diagnostic information.
As a result up to 100 bytes of the slab data could be leaked to a userspace.

Details: it is leaking exactly 100 bytes of a kernel slab whenever we answer to
a netlink request of type INET_DIAG_LOCALS or INET_DIAG_PEERS for a SCTP socket
(e.g. sent by the 'ss' tool included in the 'iproute2' package with 'ss -Si' or
'ss -Sm').

A researcher of this flaw and a patch author is Stefano Brivio of the Red Hat.

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1480266

https://marc.info/?t=150348787500002&r=1&w=2

Suggested patch:

https://marc.info/?l=linux-netdev&m=150348777122761&w=2

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.