Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 16 Mar 2016 03:00:00 +0000
From: Justin Yackoski <>
To: "" <>
Subject: CVE-2016-2117 memory disclosure to ethernet due to unchecked
 scatter/gather IO

CVE-2016-2117 memory disclosure to ethernet due to unchecked scatter/gather IO


In-tree Linux ethernet drivers:

atheros/atlx/atl2.c  confirmed in versions 3.8 thru 4.5 (possibly earlier)

* see description for more details on other potential less severe impacts


When scatter/gather IO is enabled (NETIF_F_SG), the ethernet driver may be passed a

list of buffers containing the packet to be sent, rather than a single contiguous buffer

in order to improve performance.  If a driver claims to support scatter/gather but does

a simple memcpy, dma_map_single, or similar call from skb->data to skb->len the result

is that the outgoing packet will be sent containing the first full fragment followed by

whatever kernel memory was at the end of that first fragment.  This data is likely to be

other data from other skb's, but other sensitive data has been seen.  If hardware

checksumming is enabled, the resulting ethernet frame will be valid other than containing

the disclosed memory.

This bug is remotely exploitable in the atl2 driver whenever scatter/gather IO is triggered,

which can be done in some common applications (pcap samples available upon request).

Note that this bug was originally found in an out of tree driver (CVE-2016-2553), and may

go unnoticed in similar drivers until the right conditions for scatter/gather IO are hit.

Apart from the atl2 driver that can be remotely exploited, other in-tree drivers are not

remotely exploitable but a local privileged user with access to kernel runtime memory

may be able to cause a driver that does not check for skb fragments to start to behave



1) If using atl2 driver run the following at each boot (not confirmed due to lack of hardware


    ethtool -K <ethX> sg off

2) Other drivers that don't expect scatter/gather, ensure appropriate local permissions.

Recommended fixes:

1) remove NETIF_F_SG from atl2.c

2) if an ethernet driver does not handle scatter/gather, consider a run-time check for

     fragments in the ndo_start_xmit handler rather than a compile time-assumption for maximum



None available currently, although in atl2 simply remove the NETIF_F_SG identifier from the

hw_features of the net device structure.


Justin Yackoski @ Cryptonite

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.