Vigil@nce - Linux kernel: buffer overflow of tg3 VPD
April 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can plug a malicious Tigon3 device, to generate a
buffer overflow in the tg3 driver of Linux kernel, in order to
trigger a denial of service, and possibly to execute code.
Impacted products: Fedora, Linux
Severity: 2/4
Creation date: 12/04/2013
DESCRIPTION OF THE VULNERABILITY
A PCI device can contain VPD (Vital Product Data) information,
which indicate configuration parameters.
The drivers/net/ethernet/broadcom/tg3.c file implements the
support of Ethernet Broadcom Tigon3 devices.
The tg3_read_vpd() function reads VPD data from the Ethernet
device. However, this function does not check if the size of data
is superior to the size of the storage array.
An attacker can therefore plug a malicious Tigon3 device, to
generate a buffer overflow in the tg3 driver of Linux kernel, in
order to trigger a denial of service, and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-buffer-overflow-of-tg3-VPD-12662