Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 Aug 2017 17:52:45 +0300
From: Alexander Popov <alex.popov@...ux.com>
To: oss-security@...ts.openwall.com, Tom Herbert <tom@...bertland.com>,
 "David S. Miller" <davem@...emloft.net>
Subject: Linux kernel: fixed bug in net/core/flow_dissector.c

Hello,

I was asked to investigate a suspicious kernel crash on some Linux
server. It is at least a remote DoS (and maybe RCE): Linux is crashed by
receiving a single special MPLS packet.

I bisected and found out that the bug was introduced in
commit b3baa0fbd02a1a9d493d8cb92ae4a4491b9e9d13
Author: Tom Herbert <tom@...bertland.com>
Date:   Thu Jun 4 09:16:46 2015 -0700

And was later fixed it in
commit a6e544b0a88b53114bfa5a57e21b7be7a8dfc9d0
Author: Tom Herbert <tom@...bertland.com>
Date:   Tue Sep 1 09:24:26 2015 -0700

So currently the mainline kernel is not affected.

However, this fix is obfuscated and looks like unimportant code
cleanup from the first glance. IMO that is not good. Moreover,
the fix is a part of a branch which breaks the kernel build, so
bisecting was not easy.

Actually the vulnerability is the usage of uninitialized variables. It
is caused by returning true without setting values for n_proto, ip_proto
and thoff in __skb_flow_dissect().

Is it worth requesting a CVE ID for that issue?

Best regards,
Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.