Remote denial of service (system crash) caused by integer overflow in TCP SACK handling

Bug #1831637 reported by Tyler Hicks on 2019-06-04
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Unassigned
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned
Bionic
Undecided
Unassigned
Cosmic
Undecided
Unassigned
Disco
Undecided
Unassigned

Bug Description

Jonathan Looney discovered that a remote attacker could cause a denial of service (system crash) via a maliciously crafted TCP session and a certain sequence of SACKs.

CVE References

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.15.0-52.56

---------------
linux (4.15.0-52.56) bionic; urgency=medium

  * Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard
    manipulation (LP: #1831638)
    - SAUCE: tcp: tcp_fragment() should apply sane memory limits

  * Remote denial of service (system crash) caused by integer overflow in TCP
    SACK handling (LP: #1831637)
    - SAUCE: tcp: limit payload size of sacked skbs

 -- Marcelo Henrique Cerri <email address hidden> Tue, 04 Jun 2019 17:33:24 -0300

Changed in linux (Ubuntu Bionic):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.18.0-22.23

---------------
linux (4.18.0-22.23) cosmic; urgency=medium

  * Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard
    manipulation (LP: #1831638)
    - SAUCE: tcp: tcp_fragment() should apply sane memory limits

  * Remote denial of service (system crash) caused by integer overflow in TCP
    SACK handling (LP: #1831637)
    - SAUCE: tcp: limit payload size of sacked skbs

 -- Marcelo Henrique Cerri <email address hidden> Tue, 04 Jun 2019 15:23:00 -0300

Changed in linux (Ubuntu Cosmic):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.0.0-17.18

---------------
linux (5.0.0-17.18) disco; urgency=medium

  * Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard
    manipulation (LP: #1831638)
    - SAUCE: tcp: tcp_fragment() should apply sane memory limits

  * Remote denial of service (system crash) caused by integer overflow in TCP
    SACK handling (LP: #1831637)
    - SAUCE: tcp: limit payload size of sacked skbs

 -- Stefan Bader <email address hidden> Tue, 04 Jun 2019 17:22:50 +0200

Changed in linux (Ubuntu Disco):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.4.0-151.178

---------------
linux (4.4.0-151.178) xenial; urgency=medium

  * Remote denial of service (system crash) caused by integer overflow in TCP
    SACK handling (LP: #1831637)
    - SAUCE: tcp: limit payload size of sacked skbs
    - SAUCE: tcp: fix fack_count accounting on tcp_shift_skb_data()

  * Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard
    manipulation (LP: #1831638)
    - SAUCE: tcp: tcp_fragment() should apply sane memory limits

 -- Stefan Bader <email address hidden> Tue, 11 Jun 2019 09:36:19 +0200

Changed in linux (Ubuntu Xenial):
status: New → Fix Released
Tyler Hicks (tyhicks) on 2019-06-17
information type: Private Security → Public Security
Tyler Hicks (tyhicks) wrote :

This bug report represents CVE-2019-11477

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.0.0-17.18

---------------
linux (5.0.0-17.18) disco; urgency=medium

  * Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard
    manipulation (LP: #1831638)
    - SAUCE: tcp: tcp_fragment() should apply sane memory limits

  * Remote denial of service (system crash) caused by integer overflow in TCP
    SACK handling (LP: #1831637)
    - SAUCE: tcp: limit payload size of sacked skbs

 -- Stefan Bader <email address hidden> Tue, 04 Jun 2019 17:22:50 +0200

Changed in linux (Ubuntu):
status: In Progress → Fix Released
Tyler Hicks (tyhicks) wrote :

Ubuntu 14.04 ESM's base kernel was fixed with version 3.13.0-171.222.
Ubuntu 12.04 ESM's base kernel was fixed with version 3.2.0-141.188.

Changed in linux (Ubuntu Trusty):
status: New → Fix Released
Changed in linux (Ubuntu Precise):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers