Vigil@nce - Linux kernel: memory disclosure via Net Scheduler
August 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can use the tcf_*_dump() functions in order to read
kernel data.
Severity: 1/4
Creation date: 20/08/2010
DESCRIPTION OF THE VULNERABILITY
The tcf_gact_dump(), tcf_mirred_dump(), tcf_nat_dump(),
tcf_simp_dump() and tcf_skbedit_dump() functions of files
net/sched/act_gact.c, net/sched/act_mirred.c, net/sched/act_nat.c,
net/sched/act_simple.c and net/sched/act_skbedit.c are used to
manipulate network packets in the kernel.
The memcpy() function copies a memory bloc to another.
The tcf_*_dump() functions use a local structure initialized with
various information. This structure is then copied in a caller
provided buffer via the memcpy() function. However, not all fields
of the local strcuture are initialized. Some bytes are therefore
leaked to the caller.
An attacker can therefore use the tcf_*_dump() functions in order
to read kernel data.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-disclosure-via-Net-Scheduler-9859