oss-sec mailing list archives
Re: CVE Request: Linux Kernel: Linux netfilter IPT_SO_SET_REPLACE memory corruption
From: Steve Beattie <steve () nxnw org>
Date: Thu, 10 Mar 2016 03:16:36 -0800
Hi, On Thu, Mar 10, 2016 at 10:25:49AM +0100, Marcus Meissner wrote:
From the P0 team at Google:https://code.google.com/p/google-security-research/issues/detail?id=758 A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. ... I think this needs a CVE.
It likely needs two, one for the issue above, which has been proposed to be addressed by http://marc.info/?l=netfilter-devel&m=145757134822741&w=2 and one for the unsigned integer overflow on 32bit kernels mentioned as an aside at the end of the original report. Proposed fix is http://marc.info/?l=netfilter-devel&m=145757136822750&w=2 Thanks. -- Steve Beattie <sbeattie () ubuntu com> http://NxNW.org/~steve/
Attachment:
signature.asc
Description:
Current thread:
- CVE Request: Linux Kernel: Linux netfilter IPT_SO_SET_REPLACE memory corruption Marcus Meissner (Mar 10)
- Re: CVE Request: Linux Kernel: Linux netfilter IPT_SO_SET_REPLACE memory corruption Steve Beattie (Mar 10)
- Re: CVE Request: Linux Kernel: Linux netfilter IPT_SO_SET_REPLACE memory corruption cve-assign (Mar 13)