Vigil@nce - Linux kernel: buffer overflow via MacVTap
April 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who is located in a guest system, can use a malicious
driver, in order to generate an overflow in MacVTap, leading to a
denial of service and possibly to code execution in the host
system.
Severity: 1/4
Creation date: 20/04/2012
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The MacVTap interface is used to create virtual network devices,
shared between the host system, and guest systems.
The zerocopy_sg_from_iovec() function of the drivers/net/macvtap.c
file copies data. However, it does not check if the size is
superior to MAX_SKB_FRAGS. An overflow thus occurs.
An attacker, who is located in a guest system, can therefore use a
malicious driver, in order to generate an overflow in MacVTap,
leading to a denial of service and possibly to code execution in
the host system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-buffer-overflow-via-MacVTap-11562