Linux kernel setsockopt MCAST_MSFILTER整數溢出漏洞
漏洞描述:
Linux Kernel包含的ip_setsockopt()存在整數溢出,本地攻擊者可以利用這個漏洞提升許可權,獲得ROOT許可權。
ip_setsockopt()函數是setsockopt(2)系統調用的子函數,這個函數允許操作多個IP套介面選項,MCAST_MSFILTER用於提供核心從套介面接收到的多播地址清單。在IP_MSFILTER_SIZE宏計算中處理MCAST_MSFILTER套介面選項的代碼存在整數溢出。
影響系統:
Linux kernel setsockopt MCAST_MSFILTER
Linux kernel 2.6.1
Linux kernel 2.6.2
Linux kernel 2.6.3
Linux kernel 2.4.22
Linux kernel 2.4.23
Linux kernel 2.4.24
Linux kernel 2.4.25
不影響系統:
Linux kernel 2.4.26
Linux kernel 2.6.4
攻擊代碼:
(此漏洞代碼存在於net/ipv4/ip_sockglue.c檔案中)
case MCAST_MSFILTER:
{
/* ... */
msize = IP_MSFILTER_SIZE(gsf->gf_numsrc);
msf = (struct ip_msfilter *)kmalloc(msize,GFP_KERNEL);
/* ... */
for (i=0; igf_numsrc; ++i) {
psin = (struct sockaddr_in *)&gsf->gf_slist[i];
if (psin->sin_family != AF_INET)
goto mc_msf_out;
msf->imsf_slist[i] = psin->sin_addr.s_addr;
}
whereas the IP_MSFILTER_SIZE macro is defined as follows:
#define IP_MSFILTER_SIZE(numsrc) /
(sizeof(struct ip_msfilter) - sizeof(__u32) /
+ (numsrc) * sizeof(__u32))
安全建議:
下載Linux Kernel 2.4.26和2.6.4版本安全補丁:
http://www.kernel.org
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
