CVE-2017-1000112
- ULN >
- Oracle Linux CVE repository >
- CVE-2017-1000112
CVE Details
| Release Date: | 2017-08-10 |
Description
Linux kernel: Exploitable memory corruption due to UFO to non-UFO pathswitch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ([IPv4/IPv6]:
See more information about CVE-2017-1000112 from MITRE CVE dictionary and NIST NVD
CVSS v2.0 metrics
NOTE: The following CVSS v2.0 metrics and score provided are preliminary and subject to review.
| Base Score: | 6.9 | Base Metrics: | AV:L/AC:M/Au:N/C:C/I:C/A:C |
| Access Vector: | Local network | Attack Complexity: | Medium |
| Authentication: | None required | Confidentiality Impact: | Complete |
| Integrity Impact: | Complete | Availability Impact: | Complete |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 6 (kernel) | ELSA-2017-3200 | 2017-11-15 |
| Oracle Linux version 6 (kernel-uek) | ELSA-2017-3631 | 2017-10-24 |
| Oracle Linux version 7 (kernel) | ELSA-2017-2930 | 2017-10-19 |
| Oracle Linux version 7 (kernel) | ELSA-2017-2930-1 | 2017-10-20 |
| Oracle Linux version 7 (kernel-uek) | ELSA-2017-3631 | 2017-10-24 |
| Oracle VM version 3.4 (kernel-uek) | OVMSA-2017-0163 | 2017-10-26 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team
