{"uuid": "e32af351-e54b-47bc-be8b-ec855671e14b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2017-17712", "type": "published-proof-of-concept", "source": "https://t.me/HackerOne/1436", "content": "CVE-2017-17712 net/ipv4/raw.c: raw_sendmsg() race condition\n\n#######   BUG DETAILS  ############\nin net/ipv4/raw.c:\nstatic int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)\n\n{\n  ...\n\n  struct raw_frag_vec rfv;         [1]\n  ...\n  ...\n\n  if (!inet->hdrincl) {           [2]\n\n    rfv.msg = msg;\n    rfv.hlen = 0;\n    err = raw_probe_proto_opt(&rfv, &fl4);\n    if (err)\n      goto done;\n  }\n  ...\n  ...\n  if (inet->hdrincl)  [3]\n    err = raw_send_hdrinc(sk, &fl4, msg, len,\n              &rt, msg->msg_flags, &ipc.sockc);\n   else {\n    sock_tx_timestamp(sk, ipc.sockc.tsflags, &ipc.tx_flags);\n    if (!ipc.addr)\n      ipc.addr = fl4.daddr;\n    lock_sock(sk);\n    err = ip_append_data(sk, &fl4, raw_getfrag,\n             &rfv, len, 0,    [4]\n             &ipc, &rt, msg->msg_flags);\n  ...\n}\n\n\n[1] rfv is not initialized and contains a pointer to a msghdr header structure.\n[2], [3] There are multiple checks against inet->hdrincl without a lock.\n\nWhen we achieve (by racing inet->hdrincl via setsockopt()) inet->hdrincl=1 in [1], and inet->hdrincl=0 in [2], rfv variable remains uninitialized and used in [4].\nBy spraying the stack with controlled user data , we can take control of msg pointer which is used later in ip_append_data().\n\nFixed here : https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f659a03a0ba9289b9aeb9b4470e6fb263d6f483", "creation_timestamp": "2017-12-16T06:50:35.000000Z"}