CVE-2016-9793

Published: 28 December 2016

The sock_setsockopt function in net/core/sock.c in the Linux kernel before 4.8.14 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option.

From the Ubuntu security team

Andrey Konovalov discovered that signed integer overflows existed in the setsockopt() system call when handling the SO_SNDBUFFORCE and SO_RCVBUFFORCE options. A local attacker with the CAP_NET_ADMIN capability could use this to cause a denial of service (system crash or memory corruption).

Priority

Low

CVSS 3 base score: 7.8

Status

Package Release Status
linux
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
Patches:
Introduced by 82981930125abfd39d7c8378a9cfdf5e1be2002b
Fixed by b98b0bc8c431e3ceb4b26b0dfc8db509518fb290
linux-armadaxp
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
This package is not directly supported by the Ubuntu Security Team
linux-aws
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
linux-flo
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
linux-gke
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
linux-goldfish
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
linux-grouper
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
linux-hwe
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
linux-hwe-edge
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
linux-linaro-omap
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
linux-linaro-shared
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
linux-linaro-vexpress
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
linux-lts-quantal
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
This package is not directly supported by the Ubuntu Security Team
linux-lts-raring
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
linux-lts-saucy
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
This package is not directly supported by the Ubuntu Security Team
linux-lts-trusty
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
linux-lts-utopic
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
linux-lts-vivid
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
linux-lts-wily
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
linux-lts-xenial
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
linux-maguro
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
linux-mako
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
linux-manta
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
linux-qcm-msm
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
linux-raspi2
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
linux-snapdragon
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)
linux-ti-omap4
Launchpad, Ubuntu, Debian
Upstream
Released (4.9~rc8)

Notes

AuthorNote
sbeattie
the overflows exist for SO_{SND|RCV}BUFFORCE, so it's
possible for a process with CAP_NET_ADMIN to do this. However,
the check for CAP_NET_ADMIN is via capable() *not* ns_capable(),
so the process attempting this has to have CAP_NET_ADMIN in the
init_ns; having it in a new user namespace (i.e. via unshare()) is
not sufficient. Thus, this cannot be exploited by an unprivileged
user dropping into an unprivileged user namespace. Hence the
low priority.

References