Vigil@nce - Linux kernel: memory corruption via recvmmsg
February 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can generate a memory corruption via recvmmsg(),
in order to trigger a denial of service on the Linux kernel, and
possibly to execute code.
Impacted products: Linux, openSUSE
Severity: 2/4
Creation date: 31/01/2014
Revision date: 03/02/2014
DESCRIPTION OF THE VULNERABILITY
The recvmmsg() system call is used to receive several messages on
a socket:
recvmmsg(sockfd, msgvec, vlen, flags, timeout);
However, in 32 bit compatible mode (CONFIG_X86_X32 ) the "timeout"
pointer is directly casted. A user can thus use a pointer with an
address in kernel memory.
A local attacker can therefore generate a memory corruption via
recvmmsg(), in order to trigger a denial of service on the Linux
kernel, and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-corruption-via-recvmmsg-14162