CVE-2017-1000112 in Linux
Summary
by MITRE
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/02/2024
This vulnerability represents a critical memory corruption flaw in the Linux kernel's networking stack that arises from improper handling of UFO (Unix Domain Socket) packet processing during socket operations. The issue occurs when applications send data using the MSG_MORE flag, which indicates that multiple send operations should be combined into a single packet. The vulnerability stems from a path switching mechanism between UFO and non-UFO packet handling that creates dangerous conditions in memory allocation and data copying operations.
The technical flaw manifests when the kernel's __ip_append_data() function transitions from UFO to non-UFO packet processing between successive send() calls. During this transition, the system calculates copy = maxfraglen - skb->len which becomes negative when UFO packet sizes exceed the MTU (Maximum Transmission Unit) threshold. This negative value triggers an incorrect branch that allocates new skb (socket buffer) structures and initiates fragmentation logic. The subsequent calculation of fraggap = skb_prev->len - maxfraglen can exceed MTU boundaries, causing copy = datalen - transhdrlen - fraggap to become negative as well. When this negative value is passed to skb_copy_and_csum_bits(), the function attempts to write data beyond the allocated buffer boundaries, resulting in memory corruption that can be exploited by malicious actors.
The operational impact of this vulnerability is severe as it allows for arbitrary code execution within the kernel space when exploited successfully. Attackers can leverage this memory corruption to escalate privileges, potentially gaining root access to affected systems. The vulnerability affects systems running Linux kernel versions prior to the fix, with the bug being introduced in October 2005 as part of the UFO Scatter-gather approach implementation. The issue exists in both IPv4 and IPv6 networking code paths, making it particularly dangerous as it affects fundamental network communication mechanisms. This vulnerability aligns with CWE-121 (Stack-based Buffer Overflow) and CWE-122 (Heap-based Buffer Overflow) classifications, while mapping to ATT&CK technique T1068 (Exploitation for Privilege Escalation) and T1595 (Active Scanning) for exploitation methods.
The root cause of this vulnerability lies in the improper validation of buffer boundaries during the UFO to non-UFO path switching mechanism. The kernel fails to properly account for negative values in fragmentation calculations, leading to out-of-bounds memory operations. This flaw demonstrates a classic buffer overflow condition where the system does not validate that computed values remain within acceptable ranges before performing memory operations. The vulnerability requires minimal privileges to exploit since it operates at the kernel level, and the attack can be executed through standard socket operations without requiring special permissions. Mitigation strategies include applying kernel patches that fix the buffer boundary calculations, implementing proper input validation in the packet processing path, and potentially disabling UFO functionality when not required. System administrators should prioritize applying security updates to prevent exploitation of this vulnerability in production environments.