| Summary: | Kernel : net: memory corruption with UDP_CORK and UFO (CVE-2013-4470) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Kernel | Assignee: | Gentoo Kernel Security <security-kernel> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | kernel |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1023477 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
CVE-2013-4470 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4470): The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c. Fixes in 3.11.7 onwards |
From ${URL} : Linux kernel built with an Ethernet driver(ex virtio-net) which has UDP Fragmentation Offload(UFO) feature ON is vulnerable to a memory corruption flaw when UDP_CORK socket option is set. It could occur when sending large messages, wherein not all messages are greater than maximum transfer unit(MTU) of the underlying medium. An unprivileged user/program could use this flaw to crash the kernel resulting in DoS, or potentially escalate their privileges on the system. Upstream fix: ------------- -> http://patchwork.ozlabs.org/patch/285292/ -> https://git.kernel.org/linus/c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b -> https://git.kernel.org/linus/e93b7d748be887cd7639b113ba7d7ef792a7efb9