Vigil@nce - Linux kernel: denial of service via tc_fill_qdisc
July 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can use a RTM_GETQDISC message, in order to stop
the kernel.
Severity: 1/4
Creation date: 12/07/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
Sockets of type AF_NETLINK are used to manage the network
configuration.
The NETLINK_ROUTE protocol can parameter several families: Links,
Adresses, Discipline, etc. The Netlink RTM_GETQDISC message
obtains the "Queueing Discipline" (priority based on delays,
throughput, etc.).
However, if the Queueing Discipline is of type TCQ_F_BUILTIN, the
tc_fill_qdisc() function of the file net/sched/sch_api.c
dereferences a NULL pointer.
A local attacker can therefore use a RTM_GETQDISC message, in
order to stop the kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-tc-fill-qdisc-10830