>= linux-4.4.0-130: 14 bytes memory leaked when sending AF_PACKET / SOCK_RAW frames
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Joseph Salisbury | ||
Xenial |
Fix Released
|
High
|
Joseph Salisbury | ||
Bionic |
Fix Released
|
High
|
Joseph Salisbury |
Bug Description
Vulnerable: linux-image-
Not vulnerable: linux-image-
Bug (likely) introduced by commit:
https:/
Likely fixed upstream with (NOT VERIFIED):
https:/
Discussion about these commits on maillist, including someone referring to this bug:
https:/
When sending packets with AF_PACKET / SOCK_RAW, the actual transmitted packet contains 14 additional bytes at the end of the payload. Observations do show non-zero bytes getting leaked.
See attached source for a simple proof of concept that sends a raw packet on the loopback interface. The payload should be 40 bytes of 0xAA, but tcpdump clearly shows 14 additional bytes are added.
description: | updated |
summary: |
- linux-4.4.0-130: 14 bytes memory leaked when sending AF_PACKET / + >= linux-4.4.0-130: 14 bytes memory leaked when sending AF_PACKET / SOCK_RAW frames |
Changed in linux (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Medium |
tags: | added: kernel-da-key |
information type: | Private Security → Public Security |
Changed in linux (Ubuntu Bionic): | |
status: | Fix Committed → Fix Released |
Changed in linux (Ubuntu Xenial): | |
status: | Fix Committed → Fix Released |
Changed in linux (Ubuntu): | |
status: | Fix Committed → Fix Released |
tags: | added: cscc |
The fix to this bug is in Xenial master-next as the following commit:
6b15c1a packet: fix reserve calculation
It was applied to Xenial via the 4.4.137 upstream stable updates.