Contactez-nous Suivez-nous sur Twitter En francais English Language

De la Théorie à la pratique

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Vigil@nce: Linux kernel, buffer overflow of sunrpc/transports

November 2008 by Vigil@nce

A local attacker can read /proc/sys/sunrpc/transports in order to create an overflow in the kernel.

- Gravity: 2/4
- Consequences: administrator access/rights, denial of service of computer
- Provenance: user shell
- Means of attack: 1 proof of concept
- Ability of attacker: specialist (3/4)
- Confidence: confirmed by the editor (5/5)
- Diffusion of the vulnerable configuration: high (3/3)
- Creation date: 28/10/2008


- Linux kernel
- OpenSUSE


The /proc/sys/sunrpc/transports file displays the list of RPC transports and the maximal size of data. For example: tcp 1048576 (1Mo) udp 32768 (32ko)

The content of this file is generated on the fly by the proc_do_xprt() function of the net/sunrpc/sysctl.c file. However, this function copies generated information without checking their size, which creates an overflow.

A local attacker can therefore read this file in order to create a denial of service or to execute code.


- Identifiers: BID-31937, CVE-2008-3911, SUSE-SA:2008:053, VIGILANCE-VUL-8204
- Url:

See previous articles


See next articles