Vigil@nce: Linux kernel, memory reading via hso
September 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When a USB High Speed Option network device is installed, a local
attacker can obtain 9 bytes coming from the kernel memory.
– Severity: 1/4
– Creation date: 14/09/2010
DESCRIPTION OF THE VULNERABILITY
The drivers/net/usb/hso.c file implements the support of USB High
Speed Option network devices.
The ioctl TIOCGICOUNT retrieves the value of a counter of a
device. However, the hso_get_count() function does not initialize
the serial_icounter_struct structure. The 9 bytes located at the
address of the "reserved" field of the structure are thus
transmitted to the user.
When a USB High Speed Option network device is installed, a local
attacker can therefore obtain 9 bytes coming from the kernel
memory.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-reading-via-hso-9927