Vigil@nce: Linux kernel, denial of service via CAN BCM
April 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can use a CAN BCM socket, in order to stop the
system.
– Severity: 1/4
– Creation date: 20/04/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The BCM (Broadcast Manager) of CAN (Controller Area Network,
mainly used in cars) bus processes the broadcast of packets on the
bus.
The bcm_release() function of the net/can/bcm.c file is called
when an error occurs in socket()/socketpair()/etc. or when the
socket is closed with close().
However, if bcm_release() is called after an error, its parameter
can be NULL, and this NULL pointer is dereferenced.
A local attacker can therefore use a CAN BCM socket, in order to
stop the system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-CAN-BCM-10584