Vigil@nce: Linux kernel, memory reading via SIOCGSTAMP
October 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can use the SIOCGSTAMP ioctl, in order to read a
kernel memory fragment, or to stop it.
– Impacted products: Linux
– Severity: 1/4
– Creation date: 04/10/2012
DESCRIPTION OF THE VULNERABILITY
The SIOCGSTAMP ioctl applies on a socket, in order to obtain the
reception time of a packet. The SIOCGSTAMPNS ioctl indicates
nanoseconds.
Both ioctls call the do_siocgstamp() and do_siocgstampns()
functions of the net/socket.c file. However, these functions
invert the pointer to the compat_timespec structure. In most
cases, this error stops the kernel, but on HP-PA architecture the
kernel memory area can be returned to the user space.
A local attacker can therefore use the SIOCGSTAMP ioctl, in order
to read a kernel memory fragment, or to stop it.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-reading-via-SIOCGSTAMP-11995