Vigil@nce - Linux kernel: denial of service via sfc
August 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When the system uses a Solarflare network device, a remote
attacker can use large TCP data, in order to lock the kernel.
Severity: 2/4
Creation date: 01/08/2012
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The TSO (TCP Segmentation Offload) feature is used to delegate the
segmentation of TCP data to the network device. It is enabled by
default.
The support of Solarflare network devices is implemented in the
drivers/net/ethernet/sfc kernel driver. However, with DSO, and if
the MSS (Maximum Segment Size) defined by the remote peer is low,
the driver incorrectly computes the size of data to fragment,
which indefinitely calls a watchdog.
When the system uses a Solarflare network device, a remote
attacker can therefore use large TCP data, in order to lock the
kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-sfc-11814