|
Brought to you by:
Suppliers of:
|
|
|
| |
| An integer overflow has been found in the Linux kernel. As a result, a kernel buffer can be overflowed and code execution can take place. |
| |
Credit:
The information has been provided by Wojciech Purczynski.
|
| |
Vulnerable Systems:
* Linux kernel versions 2.4.22 up to 2.4.25, 2.6.1 up to 2.6.3
Immune Systems:
* Linux kernel versions 2.4.26, 2.6.4
The ip_setsockopt() function code is a subroutine of the setsockopt(2) system call. This function allows manipulation of various options of the IP socket. The MCAST_MSFILTER socket option can be used on multicast sockets in order to provide the kernel with a list of multicast addresses to be received when sending through the socket.
There is an exploitable integer overflow inside the code handling the MCAST_MSFILTER socket option in the IP_MSFILTER_SIZE macro calculation. The vulnerable code resides in net/ipv4/ip_sockglue.c file:
case MCAST_MSFILTER:
{
/* ... */
msize = IP_MSFILTER_SIZE(gsf->gf_numsrc);
msf = (struct ip_msfilter *)kmalloc(msize,GFP_KERNEL);
/* ... */
for (i=0; i<gsf->gf_numsrc; ++i) {
psin = (struct sockaddr_in *)&gsf->gf_slist[i];
if (psin->sin_family != AF_INET)
goto mc_msf_out;
msf->imsf_slist[i] = psin->sin_addr.s_addr;
}
whereas the IP_MSFILTER_SIZE macro is defined as follows:
#define IP_MSFILTER_SIZE(numsrc) \
(sizeof(struct ip_msfilter) - sizeof(__u32) \
+ (numsrc) * sizeof(__u32))
Successful exploitation of this vulnerability allows a user to gain root privileges. In the event the exploitation is not successful it would lead to a denial-of-service on the machine probably due to a kernel panic or an instant reboot.
Workaround
All users of vulnerable kernels are encouraged to upgrade to the newer versions that are immune to this vulnerability.
|
|
|
|
|
