ASA-2019-00635 – Linux kernel: Signed integer overflow in tcp_ack_update_rtt()

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00635

Identifier(s)

ASA-2019-00635, CVE-2019-18805, CID-19fad20d15a6

Title

Signed integer overflow in tcp_ack_update_rtt()

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

Linux kernel versions before 5.1

Linux kernel 5.0.x before version 5.0.11
Linux kernel 4.19.x before version 4.19.38
Linux kernel 4.14.x before version 4.14.115
Linux kernel 4.9.x before version 4.9.172
Linux kernel 4.4.x before version 4.4.180

Linux kernel versions since the following commit:

tcp: track min RTT using windowed min-filter
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f672258391b42a5c7cc2732c9c063e56a85c8dbe

Fixed version(s)

Linux kernel version 5.1

Linux kernel version 5.0.11
Linux kernel version 4.19.38
Linux kernel version 4.14.115
Linux kernel version 4.9.172
Linux kernel version 4.4.180

Linux kernel versions with the following commit applied:

ipv4: set the tcp_min_rtt_wlen range from 0 to one day
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=19fad20d15a6494f47f85d869f00b11343ee5c78

Proof of concept

Yes

Description

An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel. There is a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact.

Technical details

Steps to reproduce:

echo 2147483647 > /proc/sys/net/ipv4/tcp_min_rtt_wlen

Credits

ZhangXiaoxu

Reference(s)

ipv4: set the tcp_min_rtt_wlen range from 0 to one day
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=19fad20d15a6494f47f85d869f00b11343ee5c78

ipv4: set the tcp_min_rtt_wlen range from 0 to one day
https://github.com/torvalds/linux/commit/19fad20d15a6494f47f85d869f00b11343ee5c78

tcp: track min RTT using windowed min-filter
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f672258391b42a5c7cc2732c9c063e56a85c8dbe

tcp: track min RTT using windowed min-filter
https://github.com/torvalds/linux/commit/f672258391b42a5c7cc2732c9c063e56a85c8dbe

Linux 5.1
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.1

Linux 5.0.11
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.11

Linux 4.14.115
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.115

Linux 4.19.38
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.38

Linux 4.9.172
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.172

Linux 4.4.180
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.180

CVE-2019-18805 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-18805

CVE-2019-18805
https://security-tracker.debian.org/tracker/CVE-2019-18805

CVE-2019-18805 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18805.html

CVE-2019-18805 | SUSE
https://www.suse.com/security/cve/CVE-2019-18805

CVE-2019-18805
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18805

CVE-2019-18805
https://nvd.nist.gov/vuln/detail/CVE-2019-18805

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: December 5, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.