CVE-2017-7308
published 2017-03-29CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows…
PriorityP260high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
17.83%
96.8th percentile
The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | < linux 4.9.18-1 (bookworm) | linux 4.9.18-1 (bookworm) |
| android | — | — | |
| linux | linux_kernel | >= 0 < 4.9.18-1 | 4.9.18-1 |
| linux | linux_kernel | >= 0 < 4.9.18-1 | 4.9.18-1 |
| linux | linux_kernel | >= 0 < 4.9.18-1 | 4.9.18-1 |
| linux | linux_kernel | >= 0 < 4.9.18-1 | 4.9.18-1 |
| linux | linux_kernel | >= 2.6.27 < 3.2.89 | 3.2.89 |
| linux | linux_kernel | >= 3.11 < 3.12.74 | 3.12.74 |
| linux | linux_kernel | >= 3.13 < 3.16.44 | 3.16.44 |
| linux | linux_kernel | >= 3.17 < 3.18.52 | 3.18.52 |
| linux | linux_kernel | >= 3.19 < 4.1.41 | 4.1.41 |
| linux | linux_kernel | >= 3.3 < 3.10.107 | 3.10.107 |
| linux | linux_kernel | >= 4.10 < 4.10.14 | 4.10.14 |
| linux | linux_kernel | >= 4.2 < 4.4.66 | 4.4.66 |
| linux | linux_kernel | >= 4.5 < 4.9.26 | 4.9.26 |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on unprivileged processes creating AF_PACKET SOCK_RAW sockets, which requires CAP_NET_RAW — obtainable via unprivileged user namespaces when CONFIG_USER_NS=y is enabled. ↗
- →Monitor for KASLR bypass attempts via /proc/kallsyms reads or klogctl(SYSLOG_ACTION_READ_ALL) from unprivileged processes, which are used by the exploit to locate the kernel base address. ↗
- →Detect exploitation attempts targeting Linux Mint 18 / Ubuntu Xenial kernel versions 4.8.0-34 through 4.8.0-45 (generic), which are the confirmed vulnerable targets for this exploit. ↗
- →Alert on processes attempting to disable SMEP/SMAP by calling native_write_cr4 with CR4 value 0x406e0 (SMEP off) or 0x407f0 (SMAP off), a key step in this exploit's privilege escalation chain. ↗
- →Monitor for the exploit's heap spray pattern: large numbers of kmalloc (512 pad) and page allocations (1024 pad) from a single process prior to socket operations, indicating heap grooming for the out-of-bounds write. ↗
- →The exploit requires two or more CPU cores; single-core systems are not exploitable. Enforce Seccomp policies blocking socket(AF_PACKET, SOCK_RAW, ...) syscalls for containers/unprivileged processes to mitigate. ↗
- →CVE-2017-7308 exploit confirmed blocked by ARM Pointer Authentication (PA)-based CFI via typesig enforcement; original exploits were simply prevented by typesig. ↗
- ·The vulnerability is only triggerable when CONFIG_PACKET=y and CONFIG_USER_NS=y are both set in the kernel configuration, and unprivileged user namespaces are accessible. Ubuntu and Linux Mint satisfy these conditions by default. ↗
- ·The exploit targets Ubuntu Xenial kernels 4.8.0 < 4.8.0-46 specifically; the bug was patched in kernel version 4.10.6. Systems already on 4.8.0-46+ or 4.10.6+ are not affected by this specific exploit. ↗
- ·Failed exploitation may crash the kernel (kernel panic/DoS), so detection of failed attempts should also include unexpected kernel oops/panics on affected kernel versions. ↗
- ·Seccomp policies blocking the socket syscall with AF_PACKET domain can mitigate CVE-2017-7308; this CVE is cited as an example of privilege escalation achievable from containers when syscalls are not restricted. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Android
CVE-2017-7308: Networking driver
vendor_android·2017-07-01·CVSS 7.8
CVE-2017-7308 [HIGH] CVE-2017-7308: Networking driver
Android Security Bulletin 2017-07-01
CVE: CVE-2017-7308
Severity: MEDIUM
Type: EoP
Component: Networking driver
References: A-36725304
Upstream kernel
[2]
[3]
Ubuntu
Linux kernel (HWE) vulnerability
vendor_ubuntu·2017-04-05
CVE-2017-7308 Linux kernel (HWE) vulnerability
Title: Linux kernel (HWE) vulnerability
Summary: The system could be made to crash under certain conditions.
USN-3256-1 fixed vulnerabilities in the Linux kernel for Ubuntu
14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. This update provides
the corresponding updates for the Linux Hardware Enablement (HWE)
kernel for each of the respective prior Ubuntu LTS releases.
Andrey Konovalov discovered that the AF_PACKET implementation in the Linux
kernel did not properly validate certain block-size data. A local attacker
could use this to cause a denial of service (system crash).
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, whi
Ubuntu
Linux kernel vulnerability
vendor_ubuntu·2017-04-05
CVE-2017-7308 Linux kernel vulnerability
Title: Linux kernel vulnerability
Summary: The system could be made to crash under certain conditions.
Andrey Konovalov discovered that the AF_PACKET implementation in the Linux
kernel did not properly validate certain block-size data. A local attacker
could use this to cause a denial of service (system crash).
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgr
Red Hat
kernel: net/packet: overflow in check for priv area size
vendor_redhat·2017-03-29·CVSS 7.8
CVE-2017-7308 [HIGH] CWE-120 kernel: net/packet: overflow in check for priv area size
kernel: net/packet: overflow in check for priv area size
The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.
It was found that the packet_set_ring() function of the Linux kernel's networking implementation did not properly validate certain block-size data. A local attacker with CAP_NET_RAW capability could use this flaw to trigger a buffer overflow resulting in a system crash or a privilege escalation.
Statement: This issue does not affect Red Hat Enterprise Linux 5.
In a default or common use of Red Hat Enter
Debian
CVE-2017-7308: linux - The packet_set_ring function in net/packet/af_packet.c in the Linux kernel throu...
vendor_debian·2017·CVSS 7.8
CVE-2017-7308 [HIGH] CVE-2017-7308: linux - The packet_set_ring function in net/packet/af_packet.c in the Linux kernel throu...
The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.
Scope: local
bookworm: resolved (fixed in 4.9.18-1)
bullseye: resolved (fixed in 4.9.18-1)
forky: resolved (fixed in 4.9.18-1)
sid: resolved (fixed in 4.9.18-1)
trixie: resolved (fixed in 4.9.18-1)
GHSA
GHSA-ppq3-433v-jp43: The packet_set_ring function in net/packet/af_packet
ghsa_unreviewed·2022-05-14
CVE-2017-7308 [HIGH] CWE-119 GHSA-ppq3-433v-jp43: The packet_set_ring function in net/packet/af_packet
The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.
Kernel
x86/asm: Pin sensitive CR4 bits
kernel_security·2019-06-17·CVSS 7.8
CVE-2017-7308 [HIGH] x86/asm: Pin sensitive CR4 bits
x86/asm: Pin sensitive CR4 bits
Several recent exploits have used direct calls to the native_write_cr4()
function to disable SMEP and SMAP before then continuing their exploits
using userspace memory access.
Direct calls of this form can be mitigate by pinning bits of CR4 so that
they cannot be changed through a common function. This is not intended to
be a general ROP protection (which would require CFI to defend against
properly), but rather a way to avoid trivial direct function calling (or
CFI bypasses via a matching function prototype) as seen in:
https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
(https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308)
The goals of this change:
- Pin specific bits (SMEP, SMAP, and UMIP) when writin
Project0
Exploiting the Linux kernel via packet sockets - Project Zero
project_zero·2017-05-01·CVSS 7.8
CVE-2016-8655 [HIGH] Exploiting the Linux kernel via packet sockets - Project Zero
Guest blog post, posted by Andrey Konovalov
Introduction
Lately I’ve been spending some time fuzzing network-related Linux kernel interfaces with syzkaller. Besides the recently discovered vulnerability in DCCP sockets, I also found another one, this time in packet sockets. This post describes how the bug was discovered and how we can exploit it to escalate privileges.
The bug itself (CVE-2017-7308) is a signedness issue, which leads to an exploitable heap-out-of-bounds write. It can be triggered by providing specific parameters to the PACKET_RX_RING option on an AF_PACKET socket with a TPACKET_V3 ring buffer version enabled. As a result the following sanity check in the packet_set_ring() function in net/packet/af_packet.c can be bypassed, which later leads to an out-of-bounds access.
OSV
CVE-2017-7308: The packet_set_ring function in net/packet/af_packet
osv·2017-03-29·CVSS 7.8
CVE-2017-7308 [HIGH] CVE-2017-7308: The packet_set_ring function in net/packet/af_packet
The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.
No detection rules found.
Exploit-DB
Linux Kernel 4.8.0-34 < 4.8.0-45 (Ubuntu / Linux Mint) - Packet Socket Local Privilege Escalation
exploitdb·2018-12-29·CVSS 7.8
CVE-2017-7308 [HIGH] Linux Kernel 4.8.0-34 < 4.8.0-45 (Ubuntu / Linux Mint) - Packet Socket Local Privilege Escalation
Linux Kernel 4.8.0-34
// ---
// Updated by
// - support for systems with SMEP but no SMAP
// - check number of CPU cores
// - additional kernel targets
// - additional KASLR bypasses
// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2017-7308
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define DEBUG
#ifdef DEBUG
# define dprintf printf
#else
# define dprintf
#endif
#define ENABLE_KASLR_BYPASS 1
#define ENABLE_SMEP_SMAP_BYPASS 1
char *SHELL = "/bin/bash";
// Will be overwritten if ENABLE_KASLR_BYPASS
unsigned long KERNEL_BASE = 0xffffffff81000000ul;
// Will be ove
Exploit-DB
Linux 4.8.0 < 4.8.0-46 - AF_PACKET packet_set_ring Privilege Escalation (Metasploit)
exploitdb·2018-05-18·CVSS 7.8
CVE-2017-7308 [HIGH] Linux 4.8.0 < 4.8.0-46 - AF_PACKET packet_set_ring Privilege Escalation (Metasploit)
Linux 4.8.0 'AF_PACKET packet_set_ring Privilege Escalation',
'Description' => %q{
This module exploits a heap-out-of-bounds write in the packet_set_ring
function in net/packet/af_packet.c (AF_PACKET) in the Linux kernel
to execute code as root (CVE-2017-7308).
The bug was initially introduced in 2011 and patched in version 4.10.6,
potentially affecting a large number of kernels; however this exploit
targets only systems using Ubuntu Xenial kernels 4.8.0 MSF_LICENSE,
'Author' =>
[
'Andrey Konovalov', # Discovery and C exploit
'Brendan Coles' # Metasploit
],
'DisclosureDate' => 'Mar 29 2017',
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'Privileged' => true,
'References' =>
[
[ 'EDB', '41994' ],
[
Exploit-DB
Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation
exploitdb·2017-05-11·CVSS 7.8
CVE-2017-7308 [HIGH] Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation
Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation
---
// A proof-of-concept local root exploit for CVE-2017-7308.
// Includes a SMEP & SMAP bypass.
// Tested on 4.8.0-41-generic Ubuntu kernel.
// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308
//
// Usage:
// user@ubuntu:~$ uname -a
// Linux ubuntu 4.8.0-41-generic #44~16.04.1-Ubuntu SMP Fri Mar 3 ...
// user@ubuntu:~$ gcc pwn.c -o pwn
// user@ubuntu:~$ ./pwn
// [.] starting
// [.] namespace sandbox set up
// [.] KASLR bypass enabled, getting kernel addr
// [.] done, kernel text: ffffffff87000000
// [.] commit_creds: ffffffff870a5cf0
// [.] prepare_kernel_cred: ffffffff870a60e0
// [.] native_write_cr4: ffffffff87064210
// [.] padding heap
// [.] done, heap is padded
// [.] SMEP & SMAP by
Metasploit
AF_PACKET packet_set_ring Privilege Escalation
metasploit·CVSS 7.8
CVE-2017-7308 [HIGH] AF_PACKET packet_set_ring Privilege Escalation
AF_PACKET packet_set_ring Privilege Escalation
This module exploits a heap-out-of-bounds write in the packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in the Linux kernel to execute code as root (CVE-2017-7308). The bug was initially introduced in 2011 and patched in version 4.10.6, potentially affecting a large number of kernels; however this exploit targets only systems using Ubuntu Xenial kernels 4.8.0 < 4.8.0-46, including Linux distros based on Ubuntu Xenial, such as Linux Mint. The target system must have unprivileged user namespaces enabled and two or more CPU cores. Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation may crash the kernel. This module has been tested successfully on Linux Mint 18 (x86_64) with kernel versions: 4.8.0-34-generic; 4.8.0-3
Unit42
CVE-2020-14386: Privilege Escalation Vulnerability in the Linux kernel
blogs_unit42·2020-10-10·CVSS 7.8
CVE-2020-14386 [HIGH] CVE-2020-14386: Privilege Escalation Vulnerability in the Linux kernel
## Executive Summary
Lately, I’ve been investing time into auditing packet sockets source code in the Linux kernel. This led me to the discovery of CVE-2020-14386, a memory corruption vulnerability in the Linux kernel. Such a vulnerability can be used to escalate privileges from an unprivileged user into the root user on a Linux system. In this blog, I will provide a technical walkthrough of the vulnerability, how it can be exploited and how Palo Alto Networks customers are protected.
A few years ago, several vulnerabilities were discovered in packet sockets (CVE-2017-7308 and CVE-2016-8655), and there are some publications, such as this one in the Project Zero blog and this in Openwall, which give some overview of the main functionality.
Specifically, in order for the vulnerability to
Unit42
CVE-2020-14386: Privilege Escalation Vulnerability in the Linux kernel
blogs_unit42·2020-10-10·CVSS 7.8
CVE-2020-14386 [HIGH] CVE-2020-14386: Privilege Escalation Vulnerability in the Linux kernel
Threat Research Center
Threat Research
Vulnerabilities
## CVE-2020-14386: Privilege Escalation Vulnerability in the Linux kernel
Or Cohen
Published: October 9, 2020
Threat Research
Vulnerabilities
CVE-2020-14386
Linux
Privilege escalation
## Executive Summary
Lately, I’ve been investing time into auditing packet sockets source code in the Linux kernel. This led me to the discovery of CVE-2020-14386 , a memory corruption vulnerability in the Linux kernel. Such a vulnerability can be used to escalate privileges from an unprivileged user into the root user on a Linux system. In this blog, I will provide a technical walkthrough of the vulnerability, how it can be exploited and how Palo Alto Networks customers are protected.
A few years ago, several vulnerabilities were discove
arXiv
Shrinking the Kernel Attack Surface Through Static and Dynamic Syscall Limitation
arxiv_fulltext·2025-10-04
Shrinking the Kernel Attack Surface Through Static and Dynamic Syscall Limitation
Shrinking the Kernel Attack Surface Through Static and Dynamic Syscall Limitation
Dongyang Zhan*, Member, IEEE,
Zhaofeng Yu,
Xiangzhan Yu,
Hongli Zhang
and Lin Ye
D. Zhan, Z. Yu, X. Yu, H. Zhang and L. Ye are with the School of Cyberspace Science, Harbin Institute of Technology, Harbin,
Heilongjiang, 150001.
E-mail: \zhandy, 20S003135, yuxiangzhan, zhanghongli, hityelin\@hit.edu.cn
* Corresponding Author
## Abstract
Linux Seccomp is widely used by the program developers and the system maintainers to secure the operating systems, which can block unused syscalls for different applications and containers to shrink the attack surface of the operating systems. However, it is difficult to configure the whitelist of a container or application without the help of program developers. Docker con
arXiv
Securing Operating Systems Through Fine-grained Kernel Access Limitation for IoT Systems
arxiv_fulltext·2025-10-04
Securing Operating Systems Through Fine-grained Kernel Access Limitation for IoT Systems
Securing Operating Systems Through Fine-grained Kernel Access Limitation for IoT Systems
Dongyang Zhan, Member, IEEE,
Zhaofeng Yu,
Xiangzhan Yu,
Hongli Zhang,
Lin Ye,
and Likun Liu*
D. Zhan, Z. Yu, X. Yu, H. Zhang, L. Ye, L. Liu are with the School of Cyberspace Science, Harbin Institute of Technology, Harbin,
Heilongjiang, 150001.
E-mail: \zhandy, yuxiangzhan, zhanghongli, hityelin, liulikun\@hit.edu.cn
* Corresponding Author: [email protected]
## Abstract
With the development of Internet of Things (IoT), it is gaining a lot of attention. It is important to secure the embedded systems with low overhead. The Linux Seccomp is widely used by developers to secure the kernels by blocking the access of unused syscalls, which introduces less overhead. However, there are no systematic Secco
arXiv
In-Kernel Control-Flow Integrity on Commodity OSes using ARM Pointer Authentication
arxiv_fulltext·2021-12-14
In-Kernel Control-Flow Integrity on Commodity OSes using ARM Pointer Authentication
-30pt In-Kernel Control-Flow Integrity on Commodity OSes
using ARM Pointer Authentication
fancyplain
Rev.
\ of LastPage
Sungbae Yoo^ ^ \;
Jinbum Park^ ^ \;
Seolheui Kim^ \;
Yeji Kim^ \;
Taesoo Kim^ ^ \;
^ Samsung Research,
^ Georgia Institute of Technology
## Abstract
This paper presents
an in-kernel, hardware-based control-flow integrity (CFI) protection,
called ,
that utilizes ARM's Pointer Authentication (PA).
It provides three important benefits
over commercial, state-of-the-art PA-based CFIs
like iOS's:
1) enhancing CFI precision via
automated refinement techniques,
2) addressing hindsight problems of PA for in-kernel uses
such as preemptive hijacking and brute-forcing attacks,
and 3) assuring the algorithmic or implementation correctness
via post validation.
achieves these
arXiv
Threat Modeling and Security Analysis of Containers: A Survey
arxiv_fulltext·2021-11-22
Threat Modeling and Security Analysis of Containers: A Survey
Threat Modeling and Security Analysis of Containers: A Survey
Ann Yi Wong1 Eyasu Getahun Chekole1 Mart\'in Ochoa2 Jianying Zhou1
Singapore University of Technology and Design, Singapore 487372, Singapore
[email protected], \eyasu_chekole, jianying_zhou\@sutd.edu.sg
Department of Computer Science, ETH Zurich, 8092 Zurich, Switzerland
[email protected]
## Abstract
Traditionally, applications that are used in large and small enterprises were deployed on ``bare metal'' servers installed with operating systems. Recently, the use of multiple virtual machines (VMs) on the same physical server was adopted due to cost reduction and flexibility. Nowadays, containers have become popular for application deployment due to smaller footprints than the VMs, their ability to start
arXiv
Lic-Sec: an enhanced AppArmor Docker security profile generator
arxiv_fulltext·2020-09-24
Lic-Sec: an enhanced AppArmor Docker security profile generator
frontmatter
5pt
- 0ex
0cm
0em
Lic-Sec: an enhanced AppArmor Docker security profile generator
[1]Hui Zhu
[email protected]
[1]Christian Gehrmann
[email protected]
[1]Department of Electrical and Information Technology, Lund University, Lund, Sweden
## Abstract
Along with the rapid development of cloud computing technology, containerization technology has drawn much attention from both industry and academia. In this paper, we perform a comparative measurement analysis of Docker-sec, which is a Linux Security Module proposed in 2018, and a new AppArmor profile generator called Lic-Sec, which combines Docker-sec with a modified version of LiCShield, which is also a Linux Security Module proposed in 2015. Docker-sec and LiCShield can be used to enhance Docker container sec
HackerOne
Linux kernel: CVE-2017-7308: a signedness issue in AF_PACKET sockets
hackerone·2019-09-11·CVSS 7.8
CVE-2017-7308 [HIGH] Linux kernel: CVE-2017-7308: a signedness issue in AF_PACKET sockets
Linux kernel: CVE-2017-7308: a signedness issue in AF_PACKET sockets
Hi!
[CVE-2017-7308](https://nvd.nist.gov/vuln/detail/CVE-2017-7308) is a vulnerability I found in the Linux kernel caused by a signedness issue in AF_PACKET sockets. It can be exploited to gain kernel code execution from an unprivileged process. The kernel has to be built with CONFIG_PACKET for the vulnerability to be present. A lot of modern distributions enable this option by default.
I initially reported this vulnerability to [email protected] following the coordinated disclosure process. As advised by them I've developed a fix for this vulnerability and sent it upstream. The fix was [committed](https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2b6867c2ce76c596676bec7d2d525af525fdc6e2) on
Bugzilla
CVE-2017-7308 kernel: net/packet: overflow in check for priv area size [fedora-all]
bugzilla·2017-03-30·CVSS 7.8
CVE-2017-7308 [HIGH] CVE-2017-7308 kernel: net/packet: overflow in check for priv area size [fedora-all]
CVE-2017-7308 kernel: net/packet: overflow in check for priv area size [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported ve
Bugzilla
CVE-2017-7308 kernel: net/packet: overflow in check for priv area size
bugzilla·2017-03-30·CVSS 7.8
CVE-2017-7308 [HIGH] CVE-2017-7308 kernel: net/packet: overflow in check for priv area size
CVE-2017-7308 kernel: net/packet: overflow in check for priv area size
It was found that the packet_set_ring() function of the Linux kernel's networking implementation did not properly validate certain block-size data. A local attacker with CAP_NET_RAW capability could use this flaw to trigger a buffer overflow resulting in a system crash or a privilege escalation.
References:
http://seclists.org/oss-sec/2017/q1/697
https://nvd.nist.gov/vuln/detail/CVE-2017-7308
http://seclists.org/oss-sec/2017/q2/5
https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
Upstream patches:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2b6867c2ce76c596676bec7d2d525af525fdc6e2
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux
http://www.securityfocus.com/bid/97234https://access.redhat.com/errata/RHSA-2017:1297https://access.redhat.com/errata/RHSA-2017:1298https://access.redhat.com/errata/RHSA-2017:1308https://access.redhat.com/errata/RHSA-2018:1854https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.htmlhttps://patchwork.ozlabs.org/patch/744811/https://patchwork.ozlabs.org/patch/744812/https://patchwork.ozlabs.org/patch/744813/https://source.android.com/security/bulletin/2017-07-01https://www.exploit-db.com/exploits/41994/https://www.exploit-db.com/exploits/44654/http://www.securityfocus.com/bid/97234https://access.redhat.com/errata/RHSA-2017:1297https://access.redhat.com/errata/RHSA-2017:1298https://access.redhat.com/errata/RHSA-2017:1308https://access.redhat.com/errata/RHSA-2018:1854https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.htmlhttps://patchwork.ozlabs.org/patch/744811/https://patchwork.ozlabs.org/patch/744812/https://patchwork.ozlabs.org/patch/744813/https://source.android.com/security/bulletin/2017-07-01https://www.exploit-db.com/exploits/41994/https://www.exploit-db.com/exploits/44654/
2017-03-29
Published