Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 489426 (CVE-2013-4470) - Kernel : net: memory corruption with UDP_CORK and UFO (CVE-2013-4470)
Summary: Kernel : net: memory corruption with UDP_CORK and UFO (CVE-2013-4470)
Status: RESOLVED FIXED
Alias: CVE-2013-4470
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Kernel Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-26 06:15 UTC by Agostino Sarubbo
Modified: 2022-03-25 15:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-10-26 06:15:12 UTC
From ${URL} :

Linux kernel built with an Ethernet driver(ex virtio-net) which has UDP
Fragmentation Offload(UFO) feature ON is vulnerable to a memory corruption flaw
when UDP_CORK socket option is set. It could occur when sending large messages,
wherein not all messages are greater than maximum transfer unit(MTU) of the
underlying medium.

An unprivileged user/program could use this flaw to crash the kernel resulting in DoS, or 
potentially escalate their privileges on the system.


Upstream fix:
-------------
 -> http://patchwork.ozlabs.org/patch/285292/
 -> https://git.kernel.org/linus/c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b
 -> https://git.kernel.org/linus/e93b7d748be887cd7639b113ba7d7ef792a7efb9
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-11-27 21:48:11 UTC
CVE-2013-4470 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4470):
  The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is
  enabled, does not properly initialize certain data structures, which allows
  local users to cause a denial of service (memory corruption and system
  crash) or possibly gain privileges via a crafted application that uses the
  UDP_CORK option in a setsockopt system call and sends both short and long
  packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c
  and the ip6_ufo_append_data function in net/ipv6/ip6_output.c.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-25 15:41:54 UTC
Fixes in 3.11.7 onwards