Vigil@nce: Linux kernel, reading 4 bytes via getsockopt
February 2009 by
SYNTHESIS OF THE VULNERABILITY
A local attacker can use getsockopt() in order to read 4 bytes
from the kernel memory.
Gravity: 1/4
Consequences: data reading
Provenance: user shell
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 18/02/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The getsockopt() function retrieve options associated to a socket.
This function is implemented by the sock_getsockopt() function of
the net/core/sock.c file.
The SO_BSDCOMPAT socket type used a compatible BSD interface, but
it is obsolete. When getsockopt() uses SO_BSDCOMPAT, the kernel
displays an error message and leaves the function. However, in
this case, an integer is not initialized, but is copied in user’s
buffer (in fact, only the first 4 bytes of an union containing
this integer are copied).
A local attacker can therefore use getsockopt() in order to read 4
bytes from the kernel memory.
CHARACTERISTICS
Identifiers: VIGILANCE-VUL-8478
http://vigilance.fr/vulnerability/Linux-kernel-reading-4-bytes-via-getsockopt-8478