Vigil@nce - Linux kernel: memory reading via AF_PACKET
August 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can use an AF_PACKET socket, in order to read two
bytes from the kernel memory.
Severity: 1/4
Creation date: 03/08/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
A VLAN 802.1Q header contains 4 bytes:
– 2 bytes: TPID (Tag Protocol Identifier) : EtherType 0x8100
– 2 bytes : TCI (Tag Control Information) : Priority Code Point,
Canonical Format Indicator and VLAN Identifier
When a packet comes from a VLAN, the packet_recvmsg() function of
the net/packet/af_packet.c file stores the TCI in the tp_vlan_tci
field of the tpacket_auxdata structure. User can then retrieve the
content of this structure with the PACKET_AUXDATA query of
getsockopt().
However, when the tp_vlan_tci field (16 bit) was added in the
structure in kernel 2.6.27, the 16 padding bit located after were
not initialized by the packet_recvmsg() function.
A local attacker can therefore use an AF_PACKET socket, in order
to read two bytes from the kernel memory.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-reading-via-AF-PACKET-10888