‘Linux Kernel Setsockopt MCAST_MSFILTER Integer Overflow Vulnerability’

Summary

‘An integer overflow has been found in the Linux kernel. As a result, a kernel buffer can be overflowed and code execution can take place.’

Credit:

‘The information has been provided by Wojciech Purczynski.’


Details

Vulnerable Systems:
 * Linux kernel versions 2.4.22 up to 2.4.25, 2.6.1 up to 2.6.3

Immune Systems:
 * Linux kernel versions 2.4.26, 2.6.4

The ip_setsockopt() function code is a subroutine of the setsockopt(2) system call. This function allows manipulation of various options of the IP socket. The MCAST_MSFILTER socket option can be used on multicast sockets in order to provide the kernel with a list of multicast addresses to be received when sending through the socket.

There is an exploitable integer overflow inside the code handling the MCAST_MSFILTER socket option in the IP_MSFILTER_SIZE macro calculation. The vulnerable code resides in net/ipv4/ip_sockglue.c file:

case MCAST_MSFILTER:
{
/* … */
        msize = IP_MSFILTER_SIZE(gsf->gf_numsrc);
        msf = (struct ip_msfilter *)kmalloc(msize,GFP_KERNEL);
/* … */
        for (i=0; i<gsf->gf_numsrc; ++i) {
                psin = (struct sockaddr_in *)&gsf->gf_slist[i];
                if (psin->sin_family != AF_INET)
                        goto mc_msf_out;
                msf->imsf_slist[i] = psin->sin_addr.s_addr;
}

whereas the IP_MSFILTER_SIZE macro is defined as follows:
#define IP_MSFILTER_SIZE(numsrc)
        (sizeof(struct ip_msfilter) – sizeof(__u32)
        + (numsrc) * sizeof(__u32))

Successful exploitation of this vulnerability allows a user to gain root privileges. In the event the exploitation is not successful it would lead to a denial-of-service on the machine probably due to a kernel panic or an instant reboot.

Workaround
All users of vulnerable kernels are encouraged to upgrade to the newer versions that are immune to this vulnerability.’

Categories: UNIX