Vigil@nce: Linux kernel, reading 2 bytes via tc_fill_node
October 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can create a PF_NETLINK/NETLINK_ROUTE socket, in
order to read two bytes coming from the kernel memory.
Severity: 1/4
Consequences: data reading
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 15/10/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The tcmsg structure is defined as:
– 1 byte for tcm_family
– 3 bytes for padding (alignment), composed of a char "pad1" (1
byte) and a short "pad2" (2 bytes)
– 4 bytes for tcm_handle
This structure is used by rtnetlink routing sockets (message
RTM_GETQDISC, RTM_GETTCLASS, RTM_GETTFILTER, etc.).
The tc_fill_node() function of the net/sched/sch_api.c file does
not initialize the 2 "pad2" padding bytes in the tcmsg structure.
A local attacker can thus for example use RTM_GETTCLASS on a
PF_NETLINK/NETLINK_ROUTE socket, in order to obtain these 2 bytes,
coming from the kernel memory.
CHARACTERISTICS
Identifiers: CVE-2009-3612, VIGILANCE-VUL-9096
http://vigilance.fr/vulnerability/Linux-kernel-reading-2-bytes-via-tc-fill-node-9096