Linux Kernel net guard tcp_set_keepalive against crash

2014.09.15
Credit: Dave Jones
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2012-6657
CWE: N/A


CVSS Base Score: 4.9/10
Impact Subscore: 6.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

Hello, Linux kernel built with the Networking support(CONFIG_NET) is vulnerable to a crash, while resetting a socket timer. It could occur while doing a setsockopt(SO_KEEPALIVE) call. A privileged user/process able to create RAW socket could use this flaw to crash the system kernel resulting in DoS. Upstream fix: - ------------- -> https://git.kernel.org/linus/3e10986d1d698140747fcfc2761ec9cb64c1d582 diff --git a/net/core/sock.c b/net/core/sock.c index 3057920..a6000fb 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -691,7 +691,8 @@ set_rcvbuf: case SO_KEEPALIVE: #ifdef CONFIG_INET - if (sk->sk_protocol == IPPROTO_TCP) + if (sk->sk_protocol == IPPROTO_TCP && + sk->sk_type == SOCK_STREAM) tcp_set_keepalive(sk, valbool); #endif sock_valbool_flag(sk, SOCK_KEEPOPEN, valbool); generated by cgit v0.10.1 at 2014-09-15 11:41:53 (GMT) Reference: - ---------- -> https://bugzilla.redhat.com/show_bug.cgi?id=1141742 Thank you. - -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

References:

https://git.kernel.org/linus/3e10986d1d698140747fcfc2761ec9cb64c1d582
https://bugzilla.redhat.com/show_bug.cgi?id=1141742


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top