Allele Security Alert
ASA-2019-00635
Identifier(s)
ASA-2019-00635, CVE-2019-18805, CID-19fad20d15a6
Title
Signed integer overflow in tcp_ack_update_rtt()
Vendor(s)
Linux foundation
Product(s)
Linux kernel
Affected version(s)
Linux kernel versions before 5.1
Linux kernel 5.0.x before version 5.0.11
Linux kernel 4.19.x before version 4.19.38
Linux kernel 4.14.x before version 4.14.115
Linux kernel 4.9.x before version 4.9.172
Linux kernel 4.4.x before version 4.4.180
Linux kernel versions since the following commit:
tcp: track min RTT using windowed min-filter
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f672258391b42a5c7cc2732c9c063e56a85c8dbe
Fixed version(s)
Linux kernel version 5.1
Linux kernel version 5.0.11
Linux kernel version 4.19.38
Linux kernel version 4.14.115
Linux kernel version 4.9.172
Linux kernel version 4.4.180
Linux kernel versions with the following commit applied:
ipv4: set the tcp_min_rtt_wlen range from 0 to one day
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=19fad20d15a6494f47f85d869f00b11343ee5c78
Proof of concept
Yes
Description
An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel. There is a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact.
Technical details
Steps to reproduce:
echo 2147483647 > /proc/sys/net/ipv4/tcp_min_rtt_wlen
Credits
ZhangXiaoxu
Reference(s)
ipv4: set the tcp_min_rtt_wlen range from 0 to one day
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=19fad20d15a6494f47f85d869f00b11343ee5c78
ipv4: set the tcp_min_rtt_wlen range from 0 to one day
https://github.com/torvalds/linux/commit/19fad20d15a6494f47f85d869f00b11343ee5c78
tcp: track min RTT using windowed min-filter
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f672258391b42a5c7cc2732c9c063e56a85c8dbe
tcp: track min RTT using windowed min-filter
https://github.com/torvalds/linux/commit/f672258391b42a5c7cc2732c9c063e56a85c8dbe
Linux 5.1
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.1
Linux 5.0.11
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.11
Linux 4.14.115
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.115
Linux 4.19.38
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.38
Linux 4.9.172
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.172
Linux 4.4.180
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.180
CVE-2019-18805 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-18805
CVE-2019-18805
https://security-tracker.debian.org/tracker/CVE-2019-18805
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18805.html
CVE-2019-18805 | SUSE
https://www.suse.com/security/cve/CVE-2019-18805
CVE-2019-18805
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18805
CVE-2019-18805
https://nvd.nist.gov/vuln/detail/CVE-2019-18805
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: December 5, 2019