Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <459c5905-fded-264c-ac85-c5a456aa836e@linux.com>
Date: Thu, 24 Aug 2017 17:52:45 +0300
From: Alexander Popov <alex.popov@...ux.com>
To: oss-security@...ts.openwall.com, Tom Herbert <tom@...bertland.com>,
 "David S. Miller" <davem@...emloft.net>
Subject: Linux kernel: fixed bug in net/core/flow_dissector.c

Hello,

I was asked to investigate a suspicious kernel crash on some Linux
server. It is at least a remote DoS (and maybe RCE): Linux is crashed by
receiving a single special MPLS packet.

I bisected and found out that the bug was introduced in
commit b3baa0fbd02a1a9d493d8cb92ae4a4491b9e9d13
Author: Tom Herbert <tom@...bertland.com>
Date:   Thu Jun 4 09:16:46 2015 -0700

And was later fixed it in
commit a6e544b0a88b53114bfa5a57e21b7be7a8dfc9d0
Author: Tom Herbert <tom@...bertland.com>
Date:   Tue Sep 1 09:24:26 2015 -0700

So currently the mainline kernel is not affected.

However, this fix is obfuscated and looks like unimportant code
cleanup from the first glance. IMO that is not good. Moreover,
the fix is a part of a branch which breaks the kernel build, so
bisecting was not easy.

Actually the vulnerability is the usage of uninitialized variables. It
is caused by returning true without setting values for n_proto, ip_proto
and thoff in __skb_flow_dissect().

Is it worth requesting a CVE ID for that issue?

Best regards,
Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.