A memory corruption issue was found in the Linux kernel. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. Introducing commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e89e9cf539a2
Acknowledgments: Name: Andrey Konovalov
Public via: http://seclists.org/oss-sec/2017/q3/277
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1480465]
Statement: This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5,6, 7 and MRG-2. Future Linux kernel updates for the respective releases may address this issue.
Additional information: This mainly affects systems that have UFO (UDP fragment offload) enabled. You can see if this is configured on or off with the ethool command: # ethtool -k em1 |grep "udp-fragmentation-offload:" udp-fragmentation-offload: off [fixed] If enabled, disabling the UDP fragementation offload will mitigate this flaw and is documented in this solution: https://access.redhat.com/solutions/2127401
Fix is at: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa
This issue has been addressed in the following products: Red Hat Enterprise MRG 2 Via RHSA-2017:2918 https://access.redhat.com/errata/RHSA-2017:2918
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2930 https://access.redhat.com/errata/RHSA-2017:2930
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2931 https://access.redhat.com/errata/RHSA-2017:2931
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:3200 https://access.redhat.com/errata/RHSA-2017:3200
This issue has been addressed in the following products: Red Hat Enterprise Linux 5.9 Long Life Via RHSA-2019:1932 https://access.redhat.com/errata/RHSA-2019:1932
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Extended Lifecycle Support Via RHSA-2019:1931 https://access.redhat.com/errata/RHSA-2019:1931
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Telco Extended Update Support Red Hat Enterprise Linux 7.3 Advanced Update Support Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions Via RHSA-2019:4159 https://access.redhat.com/errata/RHSA-2019:4159