Ubuntu
linux package

>= linux-4.4.0-130: 14 bytes memory leaked when sending AF_PACKET / SOCK_RAW frames

  1. Bionic (18.04)
  2. Bug #1783110
Bug #1783110 reported by Frank de Brabander
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
High
Joseph Salisbury
Xenial
Fix Released
High
Joseph Salisbury
Bionic
Fix Released
High
Joseph Salisbury

Bug Description

Vulnerable: linux-image-4.4.0-130-generic, linux-image-4.4.0-131-generic
Not vulnerable: linux-image-4.4.0-128-generic

Bug (likely) introduced by commit:
https://github.com/torvalds/linux/commit/b84bbaf7a6c8cca24f8acf25a2c8e46913a947ba

Likely fixed upstream with (NOT VERIFIED):
https://github.com/torvalds/linux/commit/9aad13b087ab0a588cd68259de618f100053360e

Discussion about these commits on maillist, including someone referring to this bug:
https://www.mail-archive.com/search?<email address hidden>&q=subject:%22Re%5C%3A+%5C%5BPATCH+net%5C%5D+packet%5C%3A+in+packet_snd+start+writing+at+link+layer+allocation%22&o=newest&f=1

When sending packets with AF_PACKET / SOCK_RAW, the actual transmitted packet contains 14 additional bytes at the end of the payload. Observations do show non-zero bytes getting leaked.

See attached source for a simple proof of concept that sends a raw packet on the loopback interface. The payload should be 40 bytes of 0xAA, but tcpdump clearly shows 14 additional bytes are added.

See original description
Revision history for this message
Frank de Brabander (brabanderf) wrote :
Frank de Brabander (brabanderf)
description: updated
summary: - linux-4.4.0-130: 14 bytes memory leaked when sending AF_PACKET /
+ >= linux-4.4.0-130: 14 bytes memory leaked when sending AF_PACKET /
SOCK_RAW frames
Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
tags: added: kernel-da-key
Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

The fix to this bug is in Xenial master-next as the following commit:
6b15c1a packet: fix reserve calculation

It was applied to Xenial via the 4.4.137 upstream stable updates.

Changed in linux (Ubuntu):
status: Triaged → Fix Committed
importance: Medium → High
Changed in linux (Ubuntu Xenial):
status: New → Fix Committed
importance: Undecided → High
tags: added: xenial
Changed in linux (Ubuntu Bionic):
status: New → Fix Committed
importance: Undecided → High
Changed in linux (Ubuntu):
assignee: nobody → Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu Xenial):
assignee: nobody → Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu Bionic):
assignee: nobody → Joseph Salisbury (jsalisbury)
Frank de Brabander (brabanderf)
information type: Private Security → Public Security
Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
Brad Figg (brad-figg)
tags: added: cscc
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.