News
Vigil@nce: Linux kernel, buffer overflow via KVM e1000
February 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who is in a KVM guest system with an e1000 network device, can send two packets, in order to create an overflow, leading to a denial of service and possibly to code execution on the host system.
Severity: 2/4
Creation date: 24/01/2012
IMPACTED PRODUCTS
Debian Linux
Linux kernel
Red Hat Enterprise Linux
DESCRIPTION OF THE VULNERABILITY
The Linux kernel and KVM can provide guest systems, where the emulated network device uses an Intel e1000 driver (with "model=e1000").
The process_tx_desc() function processes the TSE (Triple Speed Ethernet : 10/100/1000-Mbps) descriptor. However, when several packets are processed, and if the size of the descriptor is too high, a buffer overflow occurs.
An attacker, who is in a KVM guest system with an e1000 network device, can therefore send two packets, in order to create an overflow, leading to a denial of service and possibly to code execution on the host system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
