Vigil@nce: Linux kernel, denial of service via Intel GE and VLAN
December 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When the system has an Intel Gigabit Ethernet device, in
promiscuous mode with SR-IOV, a remote attacker can send a VLAN
packet, in order to stop the kernel.
– Severity: 2/4
– Creation date: 06/12/2010
DESCRIPTION OF THE VULNERABILITY
The drivers/net/igb/igb_main.c file implements the support of
Intel Gigabit Ethernet network devices.
The SR-IOV (Single Root I/O Virtualization) feature virtualizes a
network device.
When a network device is in promiscuous mode, it captures all
packets.
An IGE device with SR-IOV in promiscuous mode does not filter
packets with a VLAN tag. The vlan_gro_receive() function thus
receives tagged packets, whereas the adapter->vlgrp field is NULL.
A NULL pointer is then dereferenced.
When the system has an Intel Gigabit Ethernet device, in
promiscuous mode with SR-IOV, a remote attacker can therefore send
a VLAN packet, in order to stop the kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-Intel-GE-and-VLAN-10178