Vigil@nce - Linux kernel: use after free via iw_cxgb3
April 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can force the usage of a freed memory area in the
driver iw_cxgb3 of the Linux kernel, in order to trigger a denial
of service, and possibly to run code.
– Impacted products: Debian, Fedora, Linux, SUSE Linux Enterprise
Desktop, SLES, Ubuntu.
– Severity: 2/4.
– Creation date: 11/02/2016.
DESCRIPTION OF THE VULNERABILITY
The Linux kernel includes a driver cxgb3 for some Infiniband
network interface cards.
In case of congestion, outgoing packets are queued, while they are
discarded in case of error. However, the return value of the
function iwch_l2t_send() is mishandled: a congestion indication is
handled as an error, so the packet is freed too early, since the
corresponding memory area will be reused when the diver will
attempt again to send the packet.
An attacker can therefore force the usage of a freed memory area
in the driver iw_cxgb3 of the Linux kernel, in order to trigger a
denial of service, and possibly to run code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Linux-kernel-use-after-free-via-iw-cxgb3-18930