Vigil@nce - Linux kernel: unreachable memory reading via SO_KEEPALIVE
September 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can force a read at an invalid address via
SO_KEEPALIVE on the Linux kernel, in order to trigger a denial of
service.
Impacted products: Linux
Severity: 1/4
Creation date: 15/09/2014
DESCRIPTION OF THE VULNERABILITY
The setsockopt() function defines options of a socket.
The SO_KEEPALIVE option is use to keep a session active. However,
the net/core/sock.c file does not check if the socket if of type
SOCK_STREAM, so the kernel tries to read a memory area which is
not reachable, which triggers a fatal error.
An attacker can therefore force a read at an invalid address via
SO_KEEPALIVE on the Linux kernel, in order to trigger a denial of
service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-unreachable-memory-reading-via-SO-KEEPALIVE-15352