The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.
When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.
| Link | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2017:1308 | third party advisory vendor advisory |
| https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html | third party advisory |
| https://source.android.com/security/bulletin/2017-07-01 | third party advisory |
| https://access.redhat.com/errata/RHSA-2018:1854 | third party advisory vendor advisory |
| http://www.securityfocus.com/bid/97234 | vdb entry third party advisory |
| https://patchwork.ozlabs.org/patch/744812/ | third party advisory |
| https://www.exploit-db.com/exploits/41994/ | exploit vdb entry third party advisory |
| https://patchwork.ozlabs.org/patch/744813/ | third party advisory |
| https://www.exploit-db.com/exploits/44654/ | exploit vdb entry third party advisory |
| https://patchwork.ozlabs.org/patch/744811/ | third party advisory |
| https://access.redhat.com/errata/RHSA-2017:1298 | third party advisory vendor advisory |
| https://access.redhat.com/errata/RHSA-2017:1297 | third party advisory vendor advisory |