Linux's decade-old flaw: Major distros move to patch serious kernel bug

Google fuzzer helps find 11-year-old memory-corruption flaw in the Linux kernel.
Written by Liam Tung, Contributing Writer

The bug double-free is in the Linux kernel's implementation of Datagram Congestion Control Protocol.

Image: iStock

Numerous Linux distributions are patching a serious flaw that has remained unnoticed in the kernel since about 2005.

The so-called double-free bug in the Linux kernel has been or is in the process of being patched by CoreOS, RedHat, Canonical, Debian and other Linux distributions.

The bug is in the Linux kernel's implementation of Datagram Congestion Control Protocol, or DCCP, and could let a local user gain root privileges and, in conjunction with other flaws, allow an attacker to execute arbitrary code in the kernel.

Andrey Konovalov, the researcher who found the CVE-2017-6074 flaw, says it was probably introduced in Linux kernel 2.6.14 from October 2005, which was the first version to support DCCP. The issue was patched in the Linux kernel last week, ahead of an advance notification to Linux distributions. Konovalov found the bug using Google's syzkaller distributed fuzzing tool.

As per the MITRE description, the Linux kernel's DCCP implementation "mishandles DCCP_PKT_REQUEST pack data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service via an application that makes an IPV6_RECVPKTINFO setsockopt system call".

Konovalov further points to an issue in the socket buffer (skb) of the DCCP. "In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet is forcibly freed via __kfree_skb in dccp_rcv_state_process if dccp_v6_conn_request successfully returns," writes Konovalov.

"However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb is saved to ireq->pktopts and the ref count for skb is incremented in dccp_v6_conn_request [4], so skb is still in use. Nevertheless, it still gets freed in dccp_rcv_state_process."

These two frees can then be be turned into a use-after-free flaw, which can be employed to execute arbitrary code in the kernel. Konovalov intends to reveal an exploit for it in coming days.

"An attacker can control what object that would be and overwrite its content with arbitrary data by using some of the kernel heap-spraying techniques. If the overwritten object has any triggerable function pointers, an attacker gets to execute arbitrary code within the kernel," he writes.

Last December, researchers revealed three Linux kernel vulnerabilities, the worst of which enabled local users, including remote users with virtual and cloud-based Linux instances, to crash a system or run arbitrary code as root.

Editorial standards