Vigil@nce - Linux kernel: denial of service via RDS_FLAG_CONG_BITMAP
March 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can use a RDS message with RDS_FLAG_CONG_BITMAP,
in order to stop the kernel.
Severity: 1/4
Creation date: 04/03/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The RDS (Reliable Datagram Socket) protocol is used to transmit
data in a non connected mode. It is supported by kernels since
version 2.6.30.
The RDS_FLAG_CONG_BITMAP flag is used to update the congestion
table. However, if the RDS message uses this flag with data size
inferior to the size of the rds_header structure, the
rds_cong_map_updated() function of the kernel is not prepared for
this case, and the BUG_ON() macro is called.
A local attacker can therefore use a RDS message with
RDS_FLAG_CONG_BITMAP, in order to stop the kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-RDS-FLAG-CONG-BITMAP-10423