Critical vulnerability in the Linux kernel affects all versions since 2001August 14, 2009 – 4:51 AM
Google security specialists Tavis Ormandy and Julien Tiennes report that a critical security vulnerability in the Linux kernel affects all versions of 2.4 and 2.6 since 2001, on all architectures. The vulnerability enables users with limited rights to get root rights on the system. The cause is a NULL pointer dereference in connection with the initialisation of sockets for rarely used protocols.
A pointer structure usually defines what operations a socket supports, for example accept, bind and so on. If, say, the accept operation is not implemented, it should point to a predefined component such as sock_no_accept. This is evidently not the case with all implemented protocols. The report mentions PF_BLUETOOTH, PF_IUCV, PF_INET6 (with IPPROTO_SCTP), PF_PPPOX and PF_ISDN, among others, as having unimplemented operations. Some pointers remain uninitialised, and this can be exploited in conjunction with the function sock_sendpage to execute code with root rights.