CVE-2017-7277

Vulnerability

The Linux kernel's TCP stack through version 4.10.6 mishandles the SCM_TIMESTAMPING_OPT_STATS feature in net/core/skbuff.c and net/socket.c. The function __sock_recv_timestamp in net/socket.c failed to check whether a socket buffer (skb) originated from the error queue before processing SCM_TIMESTAMPING_OPT_STATS data. This allowed an out-of-bounds read when a local user sends crafted packets with timestamping options and subsequently calls recvmsg. The fix in commit 8605330aac5a5785630aec8f64378a54891937cc [2] introduced a helper skb_is_err_queue to enforce that only error-queue skbs are processed. Additionally, commit 4ef1b2869447411ad3ef91ad7d4891a83c1a509a [1] corrected the handling of the opt_stats flag to prevent incorrect marking.

Exploitation

An attacker with local access to the system can craft system calls that trigger the out-of-bounds read. Specifically, by sending a TCP segment with timestamping enabled (using SOF_TIMESTAMPING_OPT_STATS) and then invoking recvmsg with SCM_TIMESTAMPING_OPT_STATS, the kernel would read beyond the allocated buffer from an ordinary (non-error) skb. The attacker does not need elevated privileges; only the ability to create sockets and send packets is required.

Impact

Successful exploitation leads to a kernel information disclosure (reading sensitive data from kernel memory) and can cause a denial of service via a kernel panic or crash from the out-of-bounds read. The confidentiality of system data may be compromised.

Mitigation

The vulnerability is fixed in Linux kernel commits 8605330aac5a5785630aec8f64378a54891937cc [2] and 4ef1b2869447411ad3ef91ad7d4891a83c1a509a [1]. These patches were incorporated into kernel version 4.10.7 and later. Users should update to a patched kernel. No workarounds are documented.