Bug 1479307 - (CVE-2017-1000112) CVE-2017-1000112 kernel: Exploitable memory corruption due to UFO to non-UFO path switch
CVE-2017-1000112 kernel: Exploitable memory corruption due to UFO to non-UFO ...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1481529 1481530 1481532 1481533 1481534 1481535 1481536 1481537 1480465 1481531
Blocks: 1479311
  Show dependency treegraph
Reported: 2017-08-08 06:49 EDT by Andrej Nemec
Modified: 2017-09-05 08:12 EDT (History)
39 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Andrej Nemec 2017-08-08 06:49:42 EDT
A memory corruption issue was found in the Linux kernel. 

When building a UFO packet with MSG_MORE __ip_append_data() calls
ip_ufo_append_data() to append. However in between two send() calls,
the append path can be switched from UFO to non-UFO one, which leads
to a memory corruption.

In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len
becomes negative on the non-UFO path and the branch to allocate new
skb is taken. This triggers fragmentation and computation of fraggap =
skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy =
datalen - transhdrlen - fraggap to become negative. Subsequently
skb_copy_and_csum_bits() writes out-of-bounds.

Introducing commit:

Comment 1 Andrej Nemec 2017-08-08 06:49:54 EDT

Name: Andrey Konovalov
Comment 2 Adam Mariš 2017-08-11 04:08:16 EDT
Public via:

Comment 3 Adam Mariš 2017-08-11 04:08:59 EDT
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1480465]
Comment 5 Wade Mealing 2017-08-14 23:57:19 EDT

This issue affects the Linux kernel packages as shipped with Red Hat
Enterprise Linux 5,6, 7 and MRG-2.

Future Linux kernel updates for the respective releases may address this issue.
Comment 7 Wade Mealing 2017-08-15 01:20:50 EDT
Additional information:

This mainly affects systems that have UFO (UDP fragment offload) enabled.

You can see if this is configured on or off with the ethool command:

# ethtool -k em1 |grep "udp-fragmentation-offload:"

udp-fragmentation-offload: off [fixed]

If enabled, disabling the UDP fragementation offload will mitigate this flaw and is documented in this solution: https://access.redhat.com/solutions/2127401

Note You need to log in before you can comment on or make changes to this bug.