Date: Thu, 24 Aug 2017 17:52:45 +0300 From: Alexander Popov <alex.popov@...ux.com> To: oss-security@...ts.openwall.com, Tom Herbert <tom@...bertland.com>, "David S. Miller" <davem@...emloft.net> Subject: Linux kernel: fixed bug in net/core/flow_dissector.c Hello, I was asked to investigate a suspicious kernel crash on some Linux server. It is at least a remote DoS (and maybe RCE): Linux is crashed by receiving a single special MPLS packet. I bisected and found out that the bug was introduced in commit b3baa0fbd02a1a9d493d8cb92ae4a4491b9e9d13 Author: Tom Herbert <tom@...bertland.com> Date: Thu Jun 4 09:16:46 2015 -0700 And was later fixed it in commit a6e544b0a88b53114bfa5a57e21b7be7a8dfc9d0 Author: Tom Herbert <tom@...bertland.com> Date: Tue Sep 1 09:24:26 2015 -0700 So currently the mainline kernel is not affected. However, this fix is obfuscated and looks like unimportant code cleanup from the first glance. IMO that is not good. Moreover, the fix is a part of a branch which breaks the kernel build, so bisecting was not easy. Actually the vulnerability is the usage of uninitialized variables. It is caused by returning true without setting values for n_proto, ip_proto and thoff in __skb_flow_dissect(). Is it worth requesting a CVE ID for that issue? Best regards, Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ