Vigil@nce - Linux kernel: memory corruption via skb_copy_and_csum_datagram_iovec
December 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can generate a memory corruption in the
skb_copy_and_csum_datagram_iovec() function of the Linux kernel,
in order to trigger a denial of service, and possibly to run code.
Impacted products: Linux.
Severity: 2/4.
Creation date: 27/10/2015.
DESCRIPTION OF THE VULNERABILITY
The Linux kernel uses the skb_copy_and_csum_datagram_iovec()
function of the net/core/datagram.c file to copy a network buffer.
However, this function does not check the size copied by
memcpy_toiovec() from the skb to the iov.
A local attacker can therefore generate a memory corruption in the
skb_copy_and_csum_datagram_iovec() function of the Linux kernel,
in order to trigger a denial of service, and possibly to run code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN