News
Vigil@nce: Linux kernel, memory disclosure via ioctl_standard_iw_point
September 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can use ioctl SIOCxxx in order to read kernel data.
Severity: 1/4
Creation date: 31/08/2010
DESCRIPTION OF THE VULNERABILITY
The ioctl_standard_iw_point() function of the file net/wireless/wext-core.c handles IOCTL commands for the Wireless extensions driver. Each command can take in parameter an input / output buffer.
When handling an IOCTL command that returns data, the ioctl_standard_iw_point() function allocates a kernel space buffer to receive those data. The size of this buffer is passed in parameter of the function. The buffer is then integrally copied to the buffer passed in parameter. However, the ioctl_standard_iw_point() function does not properly check the size of the returned data. Therefore more data than necessary could be copied to the caller.
An attacker can therefore use SIOCxxx ioctl in order to read kernel data.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
