The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.
When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Linux_kernel | Linux | 2.6.27 (including) | 3.2.89 (excluding) |
| Linux_kernel | Linux | 3.3 (including) | 3.10.107 (excluding) |
| Linux_kernel | Linux | 3.11 (including) | 3.12.74 (excluding) |
| Linux_kernel | Linux | 3.13 (including) | 3.16.44 (excluding) |
| Linux_kernel | Linux | 3.17 (including) | 3.18.52 (excluding) |
| Linux_kernel | Linux | 3.19 (including) | 4.1.41 (excluding) |
| Linux_kernel | Linux | 4.2 (including) | 4.4.66 (excluding) |
| Linux_kernel | Linux | 4.5 (including) | 4.9.26 (excluding) |
| Linux_kernel | Linux | 4.10 (including) | 4.10.14 (excluding) |