[37934] in bugtraq
Re: Linux kernel scm_send local DoS
daemon@ATHENA.MIT.EDU (Pavel Kankovsky)
Thu Dec 23 15:15:49 2004
Message-ID: <20041223155439.15412.qmail@paddy.troja.mff.cuni.cz>
From: "Pavel Kankovsky" <peak@argo.troja.mff.cuni.cz>
Date: Thu, 23 Dec 2004 16:54:39 +0100 (CET)
To: security@isec.pl
Cc: bugtraq@securityfocus.com, <vulnwatch@vulnwatch.org>,
<full-disclosure@lists.netsys.com>
In-Reply-To: <Pine.LNX.4.44.0412141131350.1042-100000@isec.pl>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Tue, 14 Dec 2004, Paul Starzetz wrote:
> The Linux kernel provides a powerful socket API to user applications.
> Among other functions sockets provide an universal way for IPC and user-
> kernel communication. The socket layer uses several logical sublayers.
> One of the layers, so called auxiliary message layer (or scm layer),
> augments the socket API by an universal user-kernel message passing
> capability (see recvfrom(2) for more details on auxiliary messages).
More nasties might be lurking nearby (at least in 2.4):
- additional, almost identical, copies of cmsg parsing code appear in
ip_cmsg_send() (net/ipv4/ip_sockglue.c) and datagram_send_ctl()
(net/ipv6/datagram.c)
- sys_sendmsg() (net/socket.c) is willing to allocate almost arbitrary
large blocks of kernel memory
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
