Vigil@nce: Linux kernel, memory reading via de4x5
September 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When a Digital DE4x5 network device is installed, a local attacker
can obtain 32 bytes coming from the kernel memory.
– Severity: 1/4
– Creation date: 14/09/2010
DESCRIPTION OF THE VULNERABILITY
The drivers/net/tulip/de4x5.c file implements the support of
Digital DE4x5 and DE500 network devices.
The ioctl DE4X5_GET_REG retrieves values of registers of a device.
However, the de4x5_ioctl() function provides the value of the
tmp.addr variable instead of tmp.lval. The 32 bytes located at the
address of tmp.addr are thus transmitted to the user.
When a Digital DE4x5 network device is installed, a local attacker
can therefore obtain 32 bytes coming from the kernel memory.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-reading-via-de4x5-9924