Vigil@nce - Linux kernel: buffer overflow of bcm_tx_setup et bcm_rx_setup
August 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can generate a buffer overflow using CAN BCM in order
to elevate his privileges or to execute code.
Severity: 2/4
Creation date: 23/08/2010
Revision date: 27/08/2010
DESCRIPTION OF THE VULNERABILITY
The BCM (Broadcast Manager) protocol of CAN (Controller Area
Network) bus, handles the broadcast of packets on the bus.
The bcm_tx_setup() and bcm_rx_setup() function of the file
net/can/bcm.c handle the transmission/reception operations of
AF_CAN sockets. Upon transmission/reception of a packet, frames
are copied into a buffer. However, the data size to be copied is
incorrectly checked leading to a buffer overflow.
An attacker can therefore generate a buffer overflow using CAN BCM
in order to elevate his privileges or to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-buffer-overflow-of-bcm-tx-setup-et-bcm-rx-setup-9866