In Linux Kernel 4.16 the netfilter snmp nat component was rewritten to use the asn1 parser generator. Unfortunately, the grammar defines two callbacks that do NOT check if enough data is provided. This results in an out-of-bounds write into "skb shinfo" area which can lead to privilege escalation. This might be remotely exploitable if the host is configured for snmp nat. Introduced in: https://github.com/torvalds/linux/commit/cc2d58634e0f489d28b5564c05abc69930b4d920 Upstream Patch: https://github.com/torvalds/linux/commit/c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc
Public through: https://bugs.chromium.org/p/project-zero/issues/detail?id=1776
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1683444]
Fedora started tracking this in bodhi in 1679972.
*** This bug has been marked as a duplicate of bug 1683191 ***