Vigil@nce: Linux kernel, memory reading via cxgb3
September 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When a Chelsio T3 network device is installed, a local attacker
can obtain 4 bytes coming from the kernel memory.
– Severity: 1/4
– Creation date: 14/09/2010
DESCRIPTION OF THE VULNERABILITY
The drivers/net/cxgb3/cxgb3_main.c file implements the support of
Chelsio T3 network devices.
The ioctl CHELSIO_GET_QSET_NUM retrieves the value of a register
of a device. However, the cxgb_extension_ioctl() function does not
initialize the ch_reg structure. The 4 bytes located at the
address of the "edata" field of the structure are thus transmitted
to the user.
When a Chelsio T3 network device is installed, a local attacker
can therefore obtain 4 bytes coming from the kernel memory.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-reading-via-cxgb3-9925