Vigil@nce - Linux kernel: use after free via veth
May 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a freed memory area in veth of Linux kernel,
in order to trigger a denial of service, and possibly to execute
code.
– Impacted products: Linux
– Severity: 2/4
– Creation date: 29/04/2013
DESCRIPTION OF THE VULNERABILITY
The Virtual Ethernet driver creates veth virtual interfaces.
When a congestion occurs, the netif_rx() function of the
drivers/net/veth.c file frees a SKB (Socket Kernel Buffer).
However, it is freed twice in the dev_forward_skb() function of
the net/core/dev.c file.
An attacker can therefore use a freed memory area in veth of Linux
kernel, in order to trigger a denial of service, and possibly to
execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-use-after-free-via-veth-12728