Vigil@nce - Linux kernel: NULL pointer dereference via fib6_add
December 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker, with the CAP_NET_ADMIN capability, can
dereference a NULL pointer in the Linux kernel, in order to
trigger a denial of service.
– Impacted products: Linux
– Severity: 1/4
– Creation date: 06/12/2013
DESCRIPTION OF THE VULNERABILITY
The Linux kernel can be compiled with CONFIG_IPV6_SUBTREES, which
is used to route packets depending on the source IP address.
The net/ipv6/ip6_fib.c file implements the Forwarding Information
Base. However, when CONFIG_IPV6_SUBTREES is enabled, the
fib6_add() function does not check if the pointer is NULL, before
using it. This function is called by the SIOCADDRT ioctl.
A local attacker, with the CAP_NET_ADMIN capability, can therefore
dereference a NULL pointer in the Linux kernel, in order to
trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-NULL-pointer-dereference-via-fib6-add-13881