NVigil@nce - Linux kernel: hijacking execution via bpf_jit
May 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can create a special BPF filter, to hijack the
execution of the Linux kernel BPF JIT compiler, in order to
trigger a denial of service, and possibly to execute code.
Impacted products: Linux
Severity: 2/4
Creation date: 16/04/2014
DESCRIPTION OF THE VULNERABILITY
A BPF (Berkeley Packet Filter) filter defines the type of packets
to capture.
The Linux kernel implements a JIT compiler (Just In Time, enabled
via /proc/sys/net/core/bpf_jit_enable) to compile BFP filters.
However, this JIT compiler can skip one byte too far, which
changes the execution path of the kernel.
An attacker can therefore create a special BPF filter, to hijack
the execution of the Linux kernel BPF JIT compiler, in order to
trigger a denial of service, and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-hijacking-execution-via-bpf-jit-14604