<<< Date Index >>>     <<< Thread Index >>>

Linux kernel setsockopt MCAST_MSFILTER integer overflow



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Synopsis:  Linux kernel setsockopt MCAST_MSFILTER integer overflow
Product:   Linux kernel
Version:   2.4.22 - 2.4.25, 2.6.1 - 2.6.3
Vendor:    http://www.kernel.org/
URL:       http://isec.pl/vulnerabilities/isec-0015-msfilter.txt
Author:    Paul Starzetz <ihaquer@xxxxxxx>
           Wojciech Purczynski <cliph@xxxxxxx>
Date:      April 20, 2004


1. Issue

A critical security  vulnerability has been found in the Linux kernel in 
the ip_setsockopt() function code.


2. Details
 
The ip_setsockopt()  function  code is a subroutine of the setsockopt(2)
system call.  This function  allows  manipulation of various  options of 
the IP socket. The  MCAST_MSFILTER  option  can be used to  provide  the 
kernel with a list of multicast  addresses to be received on the socket.
This code has been introduced with the 2.4.22/2.6.1 kernel releases.

There is an exploitable  integer overflow  inside  the code handling the
MCAST_MSFILTER  socket option in the IP_MSFILTER_SIZE macro calculation.

The vulnerable code resides in net/ipv4/ip_sockglue.c file:

case MCAST_MSFILTER:
{
/* ... */
        msize = IP_MSFILTER_SIZE(gsf->gf_numsrc);
        msf = (struct ip_msfilter *)kmalloc(msize,GFP_KERNEL);
/* ... */
        for (i=0; i<gsf->gf_numsrc; ++i) {
                psin = (struct sockaddr_in *)&gsf->gf_slist[i];
                if (psin->sin_family != AF_INET)
                        goto mc_msf_out;
                msf->imsf_slist[i] = psin->sin_addr.s_addr;
        }

whereas the IP_MSFILTER_SIZE macro is defined as follows:

#define IP_MSFILTER_SIZE(numsrc) \
        (sizeof(struct ip_msfilter) - sizeof(__u32) \
        + (numsrc) * sizeof(__u32))

Integer overflow during  kernel memory  space  calculation may cause the
kernel buffer to be overflown  with arbitrary values within the for loop
code.


3. Impact

Proper  exploitation  of  this  vulnerability  leads to local  privilege
escalation  giving an attacker full super-user privileges.  Unsuccesfull
exploitation  of  the  vulnerability  may  lead to  a  denial-of-service
attack causing machine crash or instant reboot.


4. Solution

This  bug has been  fixed in the 2.4.26 and 2.6.4 kernel  releases.  All
users of vulnerable  kernels are advised to upgrade to the latest kernel
version. For further information please contact your vendor.


5. Credits:

Paul Starzetz <ihaquer@xxxxxxx>  discovered the vulnerability  over half
a year ago. Wojciech Purczynski performed further research and developed
exploit code.


6. Copyright

Copyright (c) 2004 iSEC Security Research
All Rights Reserved.


7. Disclaimer

This document and all  the information it contains are provided "as is",
for educational  purposes only,  without  warranty of any kind,  whether
express or implied.

All the content  presented  here my be  subject of future  modifications
and updates without prior notice.

The authors reserve  the right not to be  responsible for the topicality
correctness,  completeness  or  quality of the  information  provided in
this document.  Liability claims  regarding damage  caused by the use of
any information provided,  including  any kind  of information  which is
incomplete or incorrect, will therefore be rejected.

- -- 
Wojciech Purczynski
iSEC Security Research
http://isec.pl/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAhQnLC+8U3Z5wpu4RAsK3AKDfsy85JCvStXHqP0K3UQHw8SbU/ACfXyud
ZI/nMA2lEL2mkGpinl/i7hs=
=/ss8
-----END PGP SIGNATURE-----