Vigil@nce - Linux kernel: information disclosure via Segmentation Zerocopy
March 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can use fragmented data, in order to obtain
memory areas from the Linux kernel memory.
– Impacted products: Linux
– Severity: 1/4
– Creation date: 11/03/2014
DESCRIPTION OF THE VULNERABILITY
A SKB (Socket Kernel Buffer) can store fragmented network data.
The Zerocopy feature is used to access to data without performing
a copy of the memory area.
However, if a fragmented SKB comes from vhost-net with a Zerocopy,
a buffer storing data can be freed, and then returned to the user
space.
A local attacker can therefore use fragmented data, in order to
obtain memory areas from the Linux kernel memory.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN