Linux kernel isdn_net.c local file overflow vulnerability

Article title: Linux kernel isdn_net.c local file overflow vulnerability. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

A local overflow vulnerability exists in the Kernel implementation of Linux in the open-source operating system. this vulnerability exists in isdn_net_setcfg () in the drivers/isdn/i4l/isdn_net.c file () when processing the IOCTL configuration request sent to the ISDN pseudo device (/dev/isdnctrl.
　
Updated on: 2007-12-03
　
Affected systems:
　
Linux kernel 2.6.23
　
Description:
　
Bugtraq id: 26605
　
CVE (CAN) ID: CVE-2007-6063
　
Linux Kernel is the Kernel used by open source Linux.
　
Linux Kernel has a vulnerability. local attackers may exploit this vulnerability to escalate privileges.
　
The isdn_net_setcfg () function in the drivers/isdn/i4l/isdn_net.c file of Linux Kernel has the buffer overflow vulnerability when processing the IOCTL configuration request sent to the ISDN pseudo device (/dev/isdnctrl:
　

Isdn_ioctl (drivers/isdn/i4l/isdn_common.c): 1270 isdn_ioctl (struct inode * inode, struct file * file, uint cmd, ulong arg )...... 1410 case IIOCNETSCF: 1411 1412 if (arg) {1413 if (copy_from_user (& cfg, argp, sizeof (cfg ))) * ** <-cfg is user-controlled 1414 return-EFAULT; 1415 return isdn_net_setcfg (& cfg); *** <-call isdn_net_setcfg () 1416} else 1417 return-EINVAL ;... in row 3, cfg is read from the user space, so it is subject to user control.. In row 1415, the isdn_net_setcfg () function is called, and & cfg is transmitted to isdn_net_setcfg () as a parameter (). Isdn_net_setcfg (drivers/isdn/i41/isdn_net.c): 2664 isdn_net_setcfg (isdn_net_ioctl_cfg * cfg) 2665 {... 2777 if (cfg-> exclusive> 0) {2778 unsigned long flags; 2779 2780 2781 spin_lock_irqsave (& dev-> lock, flags); 2782 if (I = isdn_get_free_channel (ISDN_USAGE_NET, 2783 lp-> l2_proto, lp-> l3_proto, drvidx, 2784 chidx, lp-> msn) <0) {2785 2786 lp-> exclusive =-1; 2787 spin_unlock_irqrestore (& dev-> Lock, flags); 2788 return-EBUSY; 2789} 2790 dev-> usage = ISDN_USAGE_EXCLUSIVE; 2791 isdn_info_update (); 2792 spin_unlock_irqrestore (& dev-> lock, flags ); 2794 lp-> exclusive = I; 2795} else {2796 2797 lp-> exclusive =-1; 2798 if (lp-> pre_device! =-1) & (cfg-> exclusive =-1) {2799 isdn_unexclusive_channel (lp-> pre_device, lp-> pre_channel); 2800 isdn_free_channel (lp-> pre_device, lp-> pre_channel, ISDN_USAGE_NET); 2801 drvidx =-1; 2802 chidx =-1; 2803} 2804 strcpy (lp-> msn, cfg-> eaz ); * ** <-Possible overrun of lp-> msn by cfg-eaz 2806 lp-> pre_device = drvidx; 2807 lp-> pre_channel = chidx; 2808 lp-> onhtime = cfg-> onhtime; 2809 lp-> charge = cfg-> charge ;... 2884 return-ENODEV; 2885}

In line 3, strcpy () is called. The lp-> msn parameter size is 32, and cfg-> eaz is 2805. Because * cfg data is user-controllable, cfg-> eaz is also user-controllable, so that you can overwrite the target string lp-> msn through the cfg-> eaz string. If the length of the cfg-> eaz string is greater than 32, the buffer overflow can be triggered.

Users who use this software are advised to keep an eye on the vendor's homepage for the latest: http://www.kernel.org/