Remote denial of service (system crash) caused by integer overflow in TCP SACK handling

Bug #1831637 reported by Tyler Hicks
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
High
Unassigned
Precise
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Cosmic
Fix Released
Undecided
Unassigned
Disco
Fix Released
Undecided
Unassigned

Bug Description

Jonathan Looney discovered that a remote attacker could cause a denial of service (system crash) via a maliciously crafted TCP session and a certain sequence of SACKs.

Tags: cscc

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.15.0-52.56

---------------
linux (4.15.0-52.56) bionic; urgency=medium

  * Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard
    manipulation (LP: #1831638)
    - SAUCE: tcp: tcp_fragment() should apply sane memory limits

  * Remote denial of service (system crash) caused by integer overflow in TCP
    SACK handling (LP: #1831637)
    - SAUCE: tcp: limit payload size of sacked skbs

 -- Marcelo Henrique Cerri <email address hidden> Tue, 04 Jun 2019 17:33:24 -0300

Changed in linux (Ubuntu Bionic):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.18.0-22.23

---------------
linux (4.18.0-22.23) cosmic; urgency=medium

  * Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard
    manipulation (LP: #1831638)
    - SAUCE: tcp: tcp_fragment() should apply sane memory limits

  * Remote denial of service (system crash) caused by integer overflow in TCP
    SACK handling (LP: #1831637)
    - SAUCE: tcp: limit payload size of sacked skbs

 -- Marcelo Henrique Cerri <email address hidden> Tue, 04 Jun 2019 15:23:00 -0300

Changed in linux (Ubuntu Cosmic):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.0.0-17.18

---------------
linux (5.0.0-17.18) disco; urgency=medium

  * Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard
    manipulation (LP: #1831638)
    - SAUCE: tcp: tcp_fragment() should apply sane memory limits

  * Remote denial of service (system crash) caused by integer overflow in TCP
    SACK handling (LP: #1831637)
    - SAUCE: tcp: limit payload size of sacked skbs

 -- Stefan Bader <email address hidden> Tue, 04 Jun 2019 17:22:50 +0200

Changed in linux (Ubuntu Disco):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.4.0-151.178

---------------
linux (4.4.0-151.178) xenial; urgency=medium

  * Remote denial of service (system crash) caused by integer overflow in TCP
    SACK handling (LP: #1831637)
    - SAUCE: tcp: limit payload size of sacked skbs
    - SAUCE: tcp: fix fack_count accounting on tcp_shift_skb_data()

  * Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard
    manipulation (LP: #1831638)
    - SAUCE: tcp: tcp_fragment() should apply sane memory limits

 -- Stefan Bader <email address hidden> Tue, 11 Jun 2019 09:36:19 +0200

Changed in linux (Ubuntu Xenial):
status: New → Fix Released
Tyler Hicks (tyhicks)
information type: Private Security → Public Security
Revision history for this message
Tyler Hicks (tyhicks) wrote :

This bug report represents CVE-2019-11477

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.0.0-17.18

---------------
linux (5.0.0-17.18) disco; urgency=medium

  * Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard
    manipulation (LP: #1831638)
    - SAUCE: tcp: tcp_fragment() should apply sane memory limits

  * Remote denial of service (system crash) caused by integer overflow in TCP
    SACK handling (LP: #1831637)
    - SAUCE: tcp: limit payload size of sacked skbs

 -- Stefan Bader <email address hidden> Tue, 04 Jun 2019 17:22:50 +0200

Changed in linux (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Ubuntu 14.04 ESM's base kernel was fixed with version 3.13.0-171.222.
Ubuntu 12.04 ESM's base kernel was fixed with version 3.2.0-141.188.

Changed in linux (Ubuntu Trusty):
status: New → Fix Released
Changed in linux (Ubuntu Precise):
status: New → Fix Released
Brad Figg (brad-figg)
tags: added: cscc
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.