News
Vigil@nce - NetBSD: memory disclosure via venus_ioctl and coda_ioctl
August 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can use CODA ioctl in order to read kernel data.
Severity: 1/4
Creation date: 27/08/2010
DESCRIPTION OF THE VULNERABILITY
An attacker can use CODA ioctl in order to read kernel data.
The vice_ioctl() et coda_ioctl() functions of the files src/sys/coda/coda_venus.c and src/sys/coda/coda_vnops.c handle IOCTL commands for the CODA filesystem driver. Each command can take in parameter an input / output buffer.
When handling an IOCTL command that returns data, the vice_ioctl() and coda_ioctl() functions allocate a kernel space buffer to receive those data. The size of this buffer is passed in parameter of the functions. The buffer is then integrally copied to the buffer passed in parameter. However, the vice_ioctl() and coda_ioctl() functions do not properly check the size of the returned data. Therefore more data than necessary could be copied to the caller.
An attacker can therefore use CODA ioctl in order to read kernel data.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
GOLD SPONSOR
