News
Vigil@nce - Linux kernel: memory disclosure via Net Scheduler
August 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can use the tcf_*_dump() functions in order to read kernel data.
Severity: 1/4
Creation date: 20/08/2010
DESCRIPTION OF THE VULNERABILITY
The tcf_gact_dump(), tcf_mirred_dump(), tcf_nat_dump(), tcf_simp_dump() and tcf_skbedit_dump() functions of files net/sched/act_gact.c, net/sched/act_mirred.c, net/sched/act_nat.c, net/sched/act_simple.c and net/sched/act_skbedit.c are used to manipulate network packets in the kernel.
The memcpy() function copies a memory bloc to another.
The tcf_*_dump() functions use a local structure initialized with various information. This structure is then copied in a caller provided buffer via the memcpy() function. However, not all fields of the local strcuture are initialized. Some bytes are therefore leaked to the caller.
An attacker can therefore use the tcf_*_dump() functions in order to read kernel data.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
GOLD SPONSOR
