Vigil@nce: Linux kernel, buffer overflow of ETHTOOL_GRXCLSRLALL
July 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can generate a buffer overflow in ETHTOOL_GRXCLSRLALL,
in order to create a denial of service or to execute code.
– Severity: 2/4
– Creation date: 29/06/2010
DESCRIPTION OF THE VULNERABILITY
The net/core/ethtool.c file implements the interface to Ethernet
network devices.
The ETHTOOL_GRXCLSRLALL command, which does not require the
CAP_NET_ADMIN capability, obtains the NFC (Network Flow
Classification).
The ethtool_get_rxnfc() function allocates a memory area of size
4*info.rule_cnt. However, a local attacker can use a rule_cnt
value superior to 0x40000000, in order to generate an integer
overflow leading to a buffer overflow.
A local attacker can therefore generate a buffer overflow in
ETHTOOL_GRXCLSRLALL, in order to create a denial of service or to
execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-buffer-overflow-of-ETHTOOL-GRXCLSRLALL-9732