CVE-2016-8645: Linux kernel mishandles socket buffer (skb) truncation

Bug #1687107 reported by Dan Streetman on 2017-04-28
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Dan Streetman
Dan Streetman

Bug Description


From CVE description:

"The TCP stack in the Linux kernel before 4.8.10 mishandles skb truncation,
which allows local users to cause a denial of service (system crash) via a
crafted application that makes sendto system calls, related to
net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c."

[Test Case]
See references in the CVE page.

[Regression Potential]
This modifies the code that handles all tcp packets, so it could cause problems with network traffic, although unlikely since it's been applied upstream and to various stable kernels (but not the 3.13.y stable branch).

[Other Info]
The patch appears to have been pulled into xenial through the 4.4.y stable tree, but it doesn't appear that the patch will be applied to the 3.13.y stable tree, so this bug is track manually adding the patch.

CVE References

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1687107

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Dan Streetman (ddstreet) on 2017-04-28
Changed in linux (Ubuntu):
status: Incomplete → In Progress
importance: Undecided → Low
assignee: nobody → Dan Streetman (ddstreet)
tags: added: sts-sru
Changed in linux (Ubuntu Trusty):
status: New → In Progress
importance: Undecided → Low
assignee: nobody → Dan Streetman (ddstreet)
Changed in linux (Ubuntu Trusty):
status: In Progress → Fix Committed
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'. If the problem still exists, change the tag 'verification-needed-trusty' to 'verification-failed-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-trusty
Dan Streetman (ddstreet) wrote :

No public reproduction documentation has been provided for this CVE (that I can find). However, I verified the change is in the 3.13.0-119.166 kernel source.

tags: added: verification-done-trusty
removed: verification-needed-trusty
tags: removed: sts-sru
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.13.0-119.166

linux (3.13.0-119.166) trusty; urgency=low

  * linux: 3.13.0-119.166 -proposed tracker (LP: #1687718)

  * CVE-2016-8645: Linux kernel mishandles socket buffer (skb) truncation
    (LP: #1687107)
    - rose: limit sk_filter trim to payload
    - tcp: take care of truncations done by sk_filter()

linux (3.13.0-118.165) trusty; urgency=low

  * linux: 3.13.0-118.165 -proposed tracker (LP: #1686154)

  * linux_3.13.0-*.*: nVMX: Check current_vmcs12 before accessing in
    handle_invept() (LP: #1678676)
    - SAUCE: KVM has a flaw in INVEPT emulation that could crash the host

  * Please backport fix to reference leak in cgroup blkio throttle
    (LP: #1683976)
    - block: fix module reference leak on put_disk() call for cgroups throttle

 -- Thadeu Lima de Souza Cascardo <email address hidden> Tue, 02 May 2017 15:14:50 -0300

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
Dan Streetman (ddstreet) on 2017-09-28
Changed in linux (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers