Vigil@nce - Linux kernel: denial of service via CAN RAW
April 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can use a CAN RAW socket, in order to stop the
system.
Severity: 1/4
Creation date: 21/04/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The CAN (Controller Area Network) bus is mainly used in cars. CAN
RAW sockets are used to directly build packets.
The raw_release() function of the net/can/raw.c file is called
when an error occurs in socket()/socketpair()/etc. or when the
socket is closed with close().
However, if raw_release() is called after an error, its parameter
can be NULL, and this NULL pointer is dereferenced.
A local attacker can therefore use a CAN RAW socket, in order to
stop the system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-CAN-RAW-10588