[CVE A/T] CVE-2018-1130 -- dccp oops
Kleber Souza
kleber.souza at canonical.com
Wed Jun 6 22:37:14 UTC 2018
On 05/30/18 04:46, Evgenii Shatokhin wrote:
> Hi,
>
> On 30.05.2018 13:20, Andy Whitcroft wrote:
>> CVE-2018-1130
>> It was discovered that a null pointer dereference vulnerability
>> existed in the DCCP protocol implementation in the Linux kernel. A
>> local attacker could use this to cause a denial of service (system
>> crash).
>>
>> Following this email are patches for artful and trusty, they are both
>> clean cherry-picks but differ in context.
>>
>> Proposing for SRU to artful/linux and trusty/linux.
>>
>> -apw
>>
>
> Please consider backporting the following mainline commit as well:
>
> commit 990ff4d84408fc55942ca6644f67e361737b3d8e
> Author: Eric Dumazet <edumazet at google.com>
> Date: Thu Nov 3 08:59:46 2016 -0700
>
> ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped
>
> If I understand it correctly, it is not present in Artful and Trusty.
>
> Without it, the same reproducer program for CVE-2018-1130 (see
> https://syzkaller.appspot.com/bug?id=833568de043e0909b2aeaef7be136db39d21ba94)
> could make the kernel call the missing dccp_ipv6_mapped->bind_conflict()
> callback, which would result in a crash.
>
> I haven't tried the reproducer in Ubuntu yet, only in RHEL, but the
> Ubuntu kernels might be affected too.
>
> Regards,
> Evgenii
>
Hi Evgenii,
Thank you for pointing that out. Artful already carries that patch, but
it's missing for Trusty and I was able to hit the crash with the reproducer.
Thank you,
Kleber
More information about the kernel-team
mailing list