Vigil@nce - Linux kernel: denial of service via ip_options
September 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can create a multi-threaded program to manage IP
options on a socket, in order to stop the system.
Impacted products: Linux
Severity: 1/4
Creation date: 03/09/2012
DESCRIPTION OF THE VULNERABILITY
An IPv4 packet can contain options.
The kernel stores these IP options in the structure ip_options
(inet->opt).
The ip_make_skb() function calls ip_setup_cork(), which copies
inet->opt. However, if another thread changed IP options
associated to the socket, the first thread can dereference a freed
pointer.
A local attacker can therefore create a multi-threaded program to
manage IP options on a socket, in order to stop the system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-ip-options-11914