oss-sec mailing list archives
CVE-2017-8824 linux: use-after-free in DCCP code
From: Mohamed Ghannam <simo.ghannam () gmail com>
Date: Tue, 5 Dec 2017 00:11:41 +0000
Hi, This is an announcement for CVE-2017-8824 which is a use-after-free vulnerability I found in Linux DCCP socket. It can be used to gain kernel code execution from unprivileged processes. You’ll find in attachment the proof of concept code and the kernel panic log. ####### BUG DETAILS ############ When a socket sock object is in DCCP_LISTEN state and connect() system call is being called with AF_UNSPEC, the dccp_disconnect() puts sock state into DCCP_CLOSED, and forgets to free dccps_hc_rx_ccid/dccps_hc_tx_ccid and assigns NULL to them, then when we call connect() again with AF_INET6 sockaddr family, the sock object gets cloned via dccp_create_openreq_child() and returns a new sock object, which holds references of dccps_hc_rx_ccid and dccps_hc_tx_ccid of the old sock object, and this leads to both the old and new sock objects can use the same memory. ####### LINKS ############ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8824 http://lists.openwall.net/netdev/2017/12/04/224 ####### CREDITS ############ Mohamed Ghannam
Attachment:
kasan_report.log
Description:
Attachment:
poc.c
Description:
Attachment:
rip.log
Description:
Current thread:
- CVE-2017-8824 linux: use-after-free in DCCP code Mohamed Ghannam (Dec 04)