CVE-2017-1000112

CVSS v3.1 7 (High)

CVSS v2.0 6.9 (Medium)

EPSS 0.09 % (39^th)

Affected Products 1

Advisories 68

Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.

Weaknesses

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVE Status: PUBLISHED
CNA: MITRE
Published Date: 2017-10-05 01:29:04
(7 years ago)
Updated Date: 2023-06-07 12:46:19
(15 months ago)

Affected Products

Linux

Linux Kernel

Configuration #1

	CPE23	From	Up To
Linux Kernel from 2.6.15 version and prior 3.10.108 version	cpe:2.3:o:linux:linux_kernel	>= 2.6.15	< 3.10.108
Linux Kernel from 3.11 version and prior 3.16.47 version	cpe:2.3:o:linux:linux_kernel	>= 3.11	< 3.16.47
Linux Kernel from 3.17 version and prior 3.18.65 version	cpe:2.3:o:linux:linux_kernel	>= 3.17	< 3.18.65
Linux Kernel from 3.19 version and prior 4.4.82 version	cpe:2.3:o:linux:linux_kernel	>= 3.19	< 4.4.82
Linux Kernel from 4.5 version and prior 4.9.43 version	cpe:2.3:o:linux:linux_kernel	>= 4.5	< 4.9.43
Linux Kernel from 4.10 version and prior 4.12.7 version	cpe:2.3:o:linux:linux_kernel	>= 4.10	< 4.12.7