Bug 1056051 - (CVE-2017-13715) VUL-0: CVE-2017-13715: kernel: __skb_flow_dissect function in net/core/flow_dissector.c allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code
VUL-0: CVE-2017-13715: kernel: __skb_flow_dissect function in net/core/flow_d...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Major
: ---
Assigned To: Michal Marek
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2017-08-29 07:56 UTC by Alexander Bergmann
Modified: 2017-09-07 11:55 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2017-08-29 07:56:52 UTC

The __skb_flow_dissect function in net/core/flow_dissector.c in the
Linux kernel before 4.3 does not ensure that n_proto, ip_proto, and
thoff are initialized, which allows remote attackers to cause a denial
of service (system crash) or possibly execute arbitrary code via a
single crafted MPLS packet.

Comment 1 Alexander Bergmann 2017-08-29 08:00:31 UTC
SLE-12 is already fixed. Please check SLE-11 and before.
Comment 3 Marcus Meissner 2017-08-29 10:43:39 UTC
 From: Alexander Popov <alex.popov () linux com>
Date: Thu, 24 Aug 2017 17:52:45 +0300


I was asked to investigate a suspicious kernel crash on some Linux
server. It is at least a remote DoS (and maybe RCE): Linux is crashed by
receiving a single special MPLS packet.

I bisected and found out that the bug was introduced in
commit b3baa0fbd02a1a9d493d8cb92ae4a4491b9e9d13
Author: Tom Herbert <tom () herbertland com>
Date:   Thu Jun 4 09:16:46 2015 -0700

And was later fixed it in
commit a6e544b0a88b53114bfa5a57e21b7be7a8dfc9d0
Author: Tom Herbert <tom () herbertland com>
Date:   Tue Sep 1 09:24:26 2015 -0700

So currently the mainline kernel is not affected.

However, this fix is obfuscated and looks like unimportant code
cleanup from the first glance. IMO that is not good. Moreover,
the fix is a part of a branch which breaks the kernel build, so
bisecting was not easy.

Actually the vulnerability is the usage of uninitialized variables. It
is caused by returning true without setting values for n_proto, ip_proto
and thoff in __skb_flow_dissect().

Is it worth requesting a CVE ID for that issue?

Best regards,
Comment 4 Marcus Meissner 2017-08-29 10:44:36 UTC
b3baa0fbd02a1a9d493d8cb92ae4a4491b9e9d13 appeared in 4.2.

a6e544b0a88b53114bfa5a57e21b7be7a8dfc9d0 is in 4.3.

I think this excludes all our active maintained kernels unless we backported stuff.
Comment 5 Michal Marek 2017-09-07 11:55:24 UTC
Thanks for the analysis, Marcus. I can't find such backport in any of our branches, so closing.