Vigil@nce - Linux kernel: memory reading via ETHTOOL_GRXCLSRLALL
October 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can use ETHTOOL_GRXCLSRLALL, in order to read a
kernel memory area.
Severity: 1/4
Creation date: 26/10/2010
DESCRIPTION OF THE VULNERABILITY
The net/core/ethtool.c file implements features for Ethernet
network devices.
The ETHTOOL_GRXCLSRLALL command obtains the NFC (Network Flow
Classification) of an interface, using the ethtool_get_rxnfc()
function.
The ethtool_get_rxnfc() function allocates a memory area to store
information to be returned to the user. However, this memory area
is not reset before being partially filled.
A local attacker can therefore use ETHTOOL_GRXCLSRLALL, in order
to read a kernel memory area.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-reading-via-ETHTOOL-GRXCLSRLALL-10075