Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Linux kernel scm_send local DoS
From: "Pavel Kankovsky" <peak () argo troja mff cuni cz>
Date: Thu, 23 Dec 2004 16:54:39 +0100 (CET)

On Tue, 14 Dec 2004, Paul Starzetz wrote:

The Linux kernel provides a powerful socket API  to  user  applications.
Among other functions sockets provide an universal way for IPC and user-
kernel communication. The socket layer uses several  logical  sublayers.
One  of  the  layers,  so called auxiliary message layer (or scm layer),
augments the socket API by  an  universal  user-kernel  message  passing
capability (see recvfrom(2) for more details on auxiliary messages).

More nasties might be lurking nearby (at least in 2.4):

- additional, almost identical, copies of cmsg parsing code appear in
  ip_cmsg_send() (net/ipv4/ip_sockglue.c) and datagram_send_ctl()

- sys_sendmsg() (net/socket.c) is willing to allocate almost arbitrary 
  large blocks of kernel memory

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]