Bug 510162 (CVE-2014-3144)

Summary:	Kernel: filter: prevent nla extensions to peek beyond the end of the message (CVE-2014-3144)
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Kernel	Assignee:	Gentoo Kernel Security <security-kernel>
Status:	RESOLVED FIXED
Severity:	normal	CC:	kernel
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2014-05-12 14:36:09 UTC

CVE-2014-3144 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3144):
  The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension implementations 
  in the sk_run_filter function in net/core/filter.c in the Linux kernel 
  through 3.14.3 do not check whether a certain length value is sufficiently 
  large, which allows local users to cause a denial of service (integer underflow 
  and system crash) via crafted BPF instructions. NOTE: the affected code 
  was moved to the __skb_get_nlattr and __skb_get_nlattr_nest functions before 
  the vulnerability was announced.

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2014-08-10 21:54:43 UTC

CVE-2014-3144 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3144):
  The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension
  implementations in the sk_run_filter function in net/core/filter.c in the
  Linux kernel through 3.14.3 do not check whether a certain length value is
  sufficiently large, which allows local users to cause a denial of service
  (integer underflow and system crash) via crafted BPF instructions.  NOTE:
  the affected code was moved to the __skb_get_nlattr and
  __skb_get_nlattr_nest functions before the vulnerability was announced.

Comment 2 John Helmert III archtester

2022-03-25 22:03:24 UTC

Fix in 3.15, https://github.com/torvalds/linux/commit/05ab8f2647e4221cbdb3856dd7d32bd5407316b3