Vigil@nce: Linux kernel, denial of service via bonding
April 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY An attacker can send network packets to an interface using a "bonding", in order to stop the system.
Creation date: 13/04/2011
DESCRIPTION OF THE VULNERABILITY
The "bonding" feature is used to group several network devices (such as eth1 and eth2) in a same interface (bond0).
By default, the bonded interface has 16 queues. However, if a network device has more than 16 queues, an attacker can send several packets, in order to force the usage of more than 16 queues, which creates an integer overflow in the bond_select_queue() function of the drivers/net/bonding/bond_main.c file.
An attacker can therefore send network packets to an interface using a "bonding", in order to stop the system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN