Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2017-1000112

Published: 10 August 2017

Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.

From the Ubuntu Security Team

Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code.

Notes

AuthorNote
sbeattie
fix subject: udp: consistently apply ufo or fragmentation
smb
While working on the embargoed CVE we decided that Precise cannot be
exploited due to the missing user namespace support.

Priority

High

Cvss 3 Severity Score

7.0

Score breakdown

Status

Package Release Status
linux
Launchpad, Ubuntu, Debian
artful Not vulnerable
(4.12.0-11.12)
trusty
Released (3.13.0-128.177)
xenial
Released (4.4.0-91.114)
zesty
Released (4.10.0-32.36)
bionic Not vulnerable
(4.13.0-16.19)
upstream
Released (4.13~rc5)
Patches:
Introduced by

e89e9cf539a28df7d0eb1d0a545368e9920b34ac

Fixed by 85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa
linux-armadaxp
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist

xenial Does not exist

zesty Does not exist

bionic Does not exist

upstream
Released (4.13~rc5)
This package is not directly supported by the Ubuntu Security Team
linux-aws
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Not vulnerable
(4.4.0-1002.2)
xenial
Released (4.4.0-1030.39)
zesty Does not exist

bionic Not vulnerable
(4.15.0-1001.1)
upstream
Released (4.13~rc5)
linux-azure
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Not vulnerable
(4.15.0-1023.24~14.04.1)
xenial Not vulnerable
(4.11.0-1009.9)
zesty Does not exist

bionic Not vulnerable
(4.15.0-1002.2)
upstream
Released (4.13~rc5)
linux-euclid
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist

xenial Not vulnerable
(4.4.0-9019.20)
zesty Does not exist

bionic Does not exist

upstream
Released (4.13~rc5)
linux-flo
Launchpad, Ubuntu, Debian
trusty Does not exist
(trusty was ignored [abandoned])
xenial Ignored
(abandoned)
zesty Does not exist

bionic Does not exist

upstream
Released (4.13~rc5)
artful Does not exist

linux-gcp
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist

xenial Not vulnerable
(4.10.0-1004.4)
zesty Does not exist

bionic Not vulnerable
(4.15.0-1001.1)
upstream
Released (4.13~rc5)
linux-gke
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist

xenial
Released (4.4.0-1026.26)
zesty Does not exist

bionic Does not exist

upstream
Released (4.13~rc5)
linux-goldfish
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist
(trusty was ignored [abandoned])
xenial Ignored
(end of life, was needed)
zesty Ignored
(end of life)
bionic Does not exist

upstream
Released (4.13~rc5)
linux-grouper
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist
(trusty was ignored [abandoned])
xenial Does not exist

zesty Does not exist

bionic Does not exist

upstream
Released (4.13~rc5)
linux-hwe
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist

xenial
Released (4.10.0-32.36~16.04.1)
zesty Does not exist

bionic Not vulnerable

upstream
Released (4.13~rc5)
linux-hwe-edge
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist

xenial
Released (4.10.0-32.36~16.04.1)
zesty Does not exist

bionic
Released (4.18.0-8.9~18.04.1)
upstream
Released (4.13~rc5)
linux-kvm
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist

xenial Not vulnerable
(4.4.0-1004.9)
zesty Does not exist

bionic Not vulnerable
(4.15.0-1002.2)
upstream
Released (4.13~rc5)
linux-linaro-omap
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist

xenial Does not exist

zesty Does not exist

bionic Does not exist

upstream
Released (4.13~rc5)
linux-linaro-shared
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist

xenial Does not exist

zesty Does not exist

bionic Does not exist

upstream
Released (4.13~rc5)
linux-linaro-vexpress
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist

xenial Does not exist

zesty Does not exist

bionic Does not exist

upstream
Released (4.13~rc5)
linux-lts-quantal
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist

xenial Does not exist

zesty Does not exist

bionic Does not exist

upstream
Released (4.13~rc5)
This package is not directly supported by the Ubuntu Security Team
linux-lts-raring
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist

xenial Does not exist

zesty Does not exist

bionic Does not exist

upstream
Released (4.13~rc5)
linux-lts-saucy
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist

xenial Does not exist

zesty Does not exist

bionic Does not exist

upstream
Released (4.13~rc5)
This package is not directly supported by the Ubuntu Security Team
linux-lts-trusty
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist

xenial Does not exist

zesty Does not exist

bionic Does not exist

upstream
Released (4.13~rc5)
linux-lts-utopic
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist
(trusty was ignored [end of standard support])
xenial Does not exist

zesty Does not exist

bionic Does not exist

upstream
Released (4.13~rc5)
linux-lts-vivid
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Ignored
(end of life, was needs-triage)
xenial Does not exist

zesty Does not exist

bionic Does not exist

upstream
Released (4.13~rc5)
linux-lts-wily
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist
(trusty was ignored [end of standard support])
xenial Does not exist

zesty Does not exist

bionic Does not exist

upstream
Released (4.13~rc5)
linux-lts-xenial
Launchpad, Ubuntu, Debian
artful Does not exist

trusty
Released (4.4.0-91.114~14.04.1)
xenial Does not exist

zesty Does not exist

bionic Does not exist

upstream
Released (4.13~rc5)
linux-maguro
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist
(trusty was ignored [abandoned])
xenial Does not exist

zesty Does not exist

bionic Does not exist

upstream
Released (4.13~rc5)
linux-mako
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist
(trusty was ignored [abandoned])
xenial Ignored
(abandoned)
zesty Does not exist

bionic Does not exist

upstream
Released (4.13~rc5)
linux-manta
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist
(trusty was ignored [abandoned])
xenial Does not exist

zesty Does not exist

bionic Does not exist

upstream
Released (4.13~rc5)
linux-oem
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist

xenial Not vulnerable
(4.13.0-1008.9)
zesty Does not exist

bionic Not vulnerable
(4.15.0-1002.3)
upstream
Released (4.13~rc5)
linux-qcm-msm
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist

xenial Does not exist

zesty Does not exist

bionic Does not exist

upstream
Released (4.13~rc5)
linux-raspi2
Launchpad, Ubuntu, Debian
artful Not vulnerable
(4.10.0-1015.18)
trusty Does not exist

xenial
Released (4.4.0-1069.77)
zesty
Released (4.10.0-1015.18)
bionic Not vulnerable
(4.13.0-1005.5)
upstream
Released (4.13~rc5)
linux-snapdragon
Launchpad, Ubuntu, Debian
artful Not vulnerable
(4.4.0-1071.76)
trusty Does not exist

xenial
Released (4.4.0-1071.76)
zesty
Released (4.4.0-1071.76)
bionic Not vulnerable

upstream
Released (4.13~rc5)
linux-ti-omap4
Launchpad, Ubuntu, Debian
artful Does not exist

trusty Does not exist

xenial Does not exist

zesty Does not exist

bionic Does not exist

upstream
Released (4.13~rc5)

Severity score breakdown

Parameter Value
Base score 7.0
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H