Vigil@nce: Linux kernel, memory reading via AF_APPLETALK
August 2009 by Vigil@nce
A local attacker can use getsockname(), in order to obtain a few
bytes coming from the kernel memory.
Severity: 1/4
Consequences: data reading
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Number of vulnerabilities in this bulletin: 5
Creation date: 27/08/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The getsockname() function returns the name of a socket. It calls
sub-functions depending on the socket type. These subfunctions
share the same vulnerabilities.
The raw_getname() subfunction, used by the SOCK_RAW type, does not
initialize the sockaddr_can structure, which leads to a disclosure
of 10 bytes coming from the memory. [grav:1/4]
The irda_getname() subfunction, used by the AF_IRDA type, does not
initialize the saddr structure, which leads to a disclosure of a
few bytes coming from the memory. [grav:1/4]
The nr_getname() subfunction, used by the AF_NETROM type, does not
initialize the fsa_digipeater structure, which leads to a
disclosure of a few bytes coming from the memory. [grav:1/4]
The econet_getname() subfunction, used by the AF_ECONET type, does
not initialize the sec structure, which leads to a disclosure of a
few bytes coming from the memory. [grav:1/4]
The rose_getname() subfunction, used by the AF_ROSE type, does not
initialize the srose structure, which leads to a disclosure of a
few bytes coming from the memory. [grav:1/4]
A local attacker can therefore use getsockname(), in order to
obtain a few bytes coming from the kernel memory.
CHARACTERISTICS
Identifiers: 519305, VIGILANCE-VUL-8980
http://vigilance.fr/vulnerability/Linux-kernel-memory-reading-via-AF-APPLETALK-8980