CVE-2017-1000111

NameCVE-2017-1000111
DescriptionLinux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1099-1, DSA-3981-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
linux (PTS)buster4.19.249-2fixed
buster (security)4.19.304-1fixed
bullseye5.10.209-2fixed
bullseye (security)5.10.205-2fixed
bookworm6.1.76-1fixed
bookworm (security)6.1.69-1fixed
trixie6.6.15-2fixed
sid6.7.9-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
linuxsourcewheezy3.2.93-1DLA-1099-1
linuxsourcejessie3.16.43-2+deb8u5DSA-3981-1
linuxsourcestretch4.9.30-2+deb9u5DSA-3981-1
linuxsource(unstable)4.12.6-1

Notes

Introduced by: https://git.kernel.org/linus/8913336a7e8d56e984109a3137d6c0e3362596a4 (2.6.27-rc1)
Fixed by: https://git.kernel.org/linus/c27927e372f0785f3303e8fad94b85945e2c97b7
Non-privileged user namespaces disabled by default, only exploitable by arbitrary user if sysctl kernel.unprivileged_userns_clone=1

Search for package or bug name: Reporting problems