CVE-2016-9793
Published: 28 December 2016
The sock_setsockopt function in net/core/sock.c in the Linux kernel before 4.8.14 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option.
From the Ubuntu Security Team
Andrey Konovalov discovered that signed integer overflows existed in the setsockopt() system call when handling the SO_SNDBUFFORCE and SO_RCVBUFFORCE options. A local attacker with the CAP_NET_ADMIN capability could use this to cause a denial of service (system crash or memory corruption).
Notes
| Author | Note |
|---|---|
| sbeattie | the overflows exist for SO_{SND|RCV}BUFFORCE, so it's
possible for a process with CAP_NET_ADMIN to do this. However,
the check for CAP_NET_ADMIN is via capable() *not* ns_capable(),
so the process attempting this has to have CAP_NET_ADMIN in the
init_ns; having it in a new user namespace (i.e. via unshare()) is
not sufficient. Thus, this cannot be exploited by an unprivileged
user dropping into an unprivileged user namespace. Hence the
low priority. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
linux-armadaxp Launchpad, Ubuntu, Debian |
precise |
Not vulnerable
|
| trusty |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
| upstream |
Released
(4.9~rc8)
|
|
| This package is not directly supported by the Ubuntu Security Team | ||
|
linux-aws Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Not vulnerable
(4.4.0-1002.2)
|
|
| xenial |
Released
(4.4.0-1003.12)
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
| upstream |
Released
(4.9~rc8)
|
|
|
linux-flo Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
(trusty was ignored)
|
|
| xenial |
Not vulnerable
|
|
| yakkety |
Not vulnerable
|
|
| zesty |
Does not exist
|
|
| upstream |
Released
(4.9~rc8)
|
|
|
linux-gke Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
|
|
| xenial |
Not vulnerable
(4.4.0-1003.3)
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
| upstream |
Released
(4.9~rc8)
|
|
|
linux-goldfish Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
(trusty was ignored)
|
|
| xenial |
Not vulnerable
|
|
| yakkety |
Not vulnerable
|
|
| zesty |
Not vulnerable
|
|
| upstream |
Released
(4.9~rc8)
|
|
|
linux-grouper Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
(trusty was ignored)
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
| upstream |
Released
(4.9~rc8)
|
|
|
linux-hwe Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
|
|
| xenial |
Not vulnerable
(4.8.0-36.36~16.04.1)
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
| upstream |
Released
(4.9~rc8)
|
|
|
linux-hwe-edge Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
|
|
| xenial |
Not vulnerable
(4.8.0-36.36~16.04.1)
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
| upstream |
Released
(4.9~rc8)
|
|
|
linux-linaro-vexpress Launchpad, Ubuntu, Debian |
xenial |
Does not exist
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
| upstream |
Released
(4.9~rc8)
|
|
| precise |
Ignored
(end of life)
|
|
| trusty |
Does not exist
|
|
|
linux-lts-quantal Launchpad, Ubuntu, Debian |
precise |
Ignored
(end of life)
|
| trusty |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
| upstream |
Released
(4.9~rc8)
|
|
| This package is not directly supported by the Ubuntu Security Team | ||
|
linux-lts-raring Launchpad, Ubuntu, Debian |
precise |
Ignored
(end of life)
|
| trusty |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
| upstream |
Released
(4.9~rc8)
|
|
|
linux-lts-saucy Launchpad, Ubuntu, Debian |
precise |
Ignored
(end of life)
|
| trusty |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
| upstream |
Released
(4.9~rc8)
|
|
| This package is not directly supported by the Ubuntu Security Team | ||
|
linux-lts-trusty Launchpad, Ubuntu, Debian |
precise |
Released
(3.13.0-107.154~precise1)
|
| trusty |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
| upstream |
Released
(4.9~rc8)
|
|
|
linux-lts-utopic Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
(trusty was ignored [end of standard support])
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
| upstream |
Released
(4.9~rc8)
|
|
|
linux-lts-vivid Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Released
(3.19.0-79.87~14.04.1)
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
| upstream |
Released
(4.9~rc8)
|
|
|
linux-lts-wily Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
(trusty was ignored [end of standard support])
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
| upstream |
Released
(4.9~rc8)
|
|
|
linux-lts-xenial Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Released
(4.4.0-59.80~14.04.1)
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
| upstream |
Released
(4.9~rc8)
|
|
|
linux-maguro Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
(trusty was ignored)
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
| upstream |
Released
(4.9~rc8)
|
|
|
linux-mako Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
(trusty was ignored)
|
|
| xenial |
Not vulnerable
|
|
| yakkety |
Not vulnerable
|
|
| zesty |
Does not exist
|
|
| upstream |
Released
(4.9~rc8)
|
|
|
linux-manta Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
(trusty was ignored)
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
| upstream |
Released
(4.9~rc8)
|
|
|
linux-qcm-msm Launchpad, Ubuntu, Debian |
precise |
Ignored
(end of life)
|
| trusty |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
| upstream |
Released
(4.9~rc8)
|
|
|
linux-raspi2 Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
|
|
| xenial |
Released
(4.4.0-1040.47)
|
|
| yakkety |
Released
(4.8.0-1022.25)
|
|
| zesty |
Not vulnerable
(4.8.0-1024.27)
|
|
| upstream |
Released
(4.9~rc8)
|
|
|
linux-snapdragon Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
|
|
| xenial |
Released
(4.4.0-1044.48)
|
|
| yakkety |
Released
(4.4.0-1046.50)
|
|
| zesty |
Not vulnerable
(4.4.0-1046.50)
|
|
| upstream |
Released
(4.9~rc8)
|
|
|
linux Launchpad, Ubuntu, Debian |
upstream |
Released
(4.9~rc8)
|
| precise |
Not vulnerable
|
|
| trusty |
Released
(3.13.0-107.154)
|
|
| xenial |
Released
(4.4.0-59.80)
|
|
| yakkety |
Released
(4.8.0-34.36)
|
|
| zesty |
Not vulnerable
(4.9.0-11.12)
|
|
|
Patches: Introduced by 82981930125abfd39d7c8378a9cfdf5e1be2002b |
||
|
linux-linaro-omap Launchpad, Ubuntu, Debian |
upstream |
Released
(4.9~rc8)
|
| precise |
Ignored
(end of life)
|
|
| trusty |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
linux-linaro-shared Launchpad, Ubuntu, Debian |
upstream |
Released
(4.9~rc8)
|
| precise |
Ignored
(end of life)
|
|
| trusty |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
linux-ti-omap4 Launchpad, Ubuntu, Debian |
upstream |
Released
(4.9~rc8)
|
| precise |
Not vulnerable
|
|
| trusty |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.8 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9793
- http://www.openwall.com/lists/oss-security/2016/12/02
- https://github.com/torvalds/linux/commit/b98b0bc8c431e3ceb4b26b0dfc8db509518fb290
- https://ubuntu.com/security/notices/USN-3168-1
- https://ubuntu.com/security/notices/USN-3168-2
- https://ubuntu.com/security/notices/USN-3169-1
- https://ubuntu.com/security/notices/USN-3169-2
- https://ubuntu.com/security/notices/USN-3169-3
- https://ubuntu.com/security/notices/USN-3169-4
- https://ubuntu.com/security/notices/USN-3170-1
- https://ubuntu.com/security/notices/USN-3170-2
- NVD
- Launchpad
- Debian