News
Vigil@nce - Linux kernel: buffer overflow of bcm_tx_setup et bcm_rx_setup
August 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can generate a buffer overflow using CAN BCM in order to elevate his privileges or to execute code.
Severity: 2/4
Creation date: 23/08/2010
Revision date: 27/08/2010
DESCRIPTION OF THE VULNERABILITY
The BCM (Broadcast Manager) protocol of CAN (Controller Area Network) bus, handles the broadcast of packets on the bus.
The bcm_tx_setup() and bcm_rx_setup() function of the file net/can/bcm.c handle the transmission/reception operations of AF_CAN sockets. Upon transmission/reception of a packet, frames are copied into a buffer. However, the data size to be copied is incorrectly checked leading to a buffer overflow.
An attacker can therefore generate a buffer overflow using CAN BCM in order to elevate his privileges or to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
GOLD SPONSOR
