Date: 21 Apr 2004 18:41:15 +0200
From: SecuriTeam <support@securiteam.com>
To: list@securiteam.com
Subject: [UNIX] Linux Kernel Setsockopt MCAST_MSFILTER Integer Overflow Vulnerability
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Linux Kernel Setsockopt MCAST_MSFILTER Integer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
An integer overflow has been found in the Linux kernel. As a result, a
kernel buffer can be overflowed and code execution can take place.
DETAILS
Vulnerable Systems:
* Linux kernel versions 2.4.22 up to 2.4.25, 2.6.1 up to 2.6.3
Immune Systems:
* Linux kernel versions 2.4.26, 2.6.4
The ip_setsockopt() function code is a subroutine of the setsockopt(2)
system call. This function allows manipulation of various options of the
IP socket. The MCAST_MSFILTER socket option can be used on multicast
sockets in order to provide the kernel with a list of multicast addresses
to be received when sending through the socket.
There is an exploitable integer overflow inside the code handling the
MCAST_MSFILTER socket option in the IP_MSFILTER_SIZE macro calculation.
The vulnerable code resides in net/ipv4/ip_sockglue.c file:
case MCAST_MSFILTER:
{
/* ... */
msize = IP_MSFILTER_SIZE(gsf->gf_numsrc);
msf = (struct ip_msfilter *)kmalloc(msize,GFP_KERNEL);
/* ... */
for (i=0; i<gsf->gf_numsrc; ++i) {
psin = (struct sockaddr_in *)&gsf->gf_slist[i];
if (psin->sin_family != AF_INET)
goto mc_msf_out;
msf->imsf_slist[i] = psin->sin_addr.s_addr;
}
whereas the IP_MSFILTER_SIZE macro is defined as follows:
#define IP_MSFILTER_SIZE(numsrc) \
(sizeof(struct ip_msfilter) - sizeof(__u32) \
+ (numsrc) * sizeof(__u32))
Successful exploitation of this vulnerability allows a user to gain root
privileges. In the event the exploitation is not successful it would lead
to a denial-of-service on the machine probably due to a kernel panic or an
instant reboot.
Workaround
All users of vulnerable kernels are encouraged to upgrade to the newer
versions that are immune to this vulnerability.
ADDITIONAL INFORMATION
The information has been provided by <mailto:cliph@isec.pl> Wojciech
Purczynski.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
