Vigil@nce - Linux kernel: use after free via ping_unhash
July 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can force the usage of a freed memory area in
ping_unhash() of the Linux kernel, in order to trigger a denial of
service, and possibly to execute code.
Impacted products: Debian, Fedora, Linux, SUSE Linux Enterprise
Desktop, SLES, Ubuntu
Severity: 2/4
Creation date: 04/05/2015
DESCRIPTION OF THE VULNERABILITY
The Linux kernel supports sockets of type ping:
socket(PF_INET, SOCK_DGRAM, IPPROTO_ICMP)
The access to these sockets is usually restricted.
However, if the user disconnects, and the connects the socket, the
ping_unhash() function frees a memory area before reusing it.
A local attacker can therefore force the usage of a freed memory
area in ping_unhash() of the Linux kernel, in order to trigger a
denial of service, and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-use-after-free-via-ping-unhash-16801