Vigil@nce: Linux kernel, reading 3 bytes via tc_fill_tclass
September 2009 by Vigil@nce
A local attacker can read three bytes coming from the kernel
memory.
– Severity: 1/4
– Consequences: data reading
– Provenance: user shell
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 03/09/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The tcmsg structure is defined as:
– 1 byte for tcm_family
– 3 bytes for padding (alignment)
– 4 bytes for tcm_handle
This structure is used by rtnetlink routing sockets (message
RTM_GETQDISC, RTM_GETTCLASS, RTM_GETTFILTER, etc.).
The tc_fill_tclass() function of the net/sched/sch_api.c file does
not initialize the 3 padding bytes in the tcmsg structure.
A local attacker can thus for example use RTM_GETTCLASS on a
PF_NETLINK/NETLINK_ROUTE socket, in order to obtain these 3 bytes,
coming from the kernel memory.
CHARACTERISTICS
– Identifiers: VIGILANCE-VUL-8992
– Url: http://vigilance.fr/vulnerability/Linux-kernel-reading-3-bytes-via-tc-fill-tclass-8992