CVE-2009-2692

EPSS 14.7%

The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.

Affected products

n/a · n/a

public PoCs found — 11

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git%3Ba=commit%3Bh=c18d0fe535a73b219f960d1af3d0c264555a12e3 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=e694958388c50148389b0e9b9e9e8945cf0f1b98 http://grsecurity.net/~spender/wunderbar_emporium.tgz http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html http://rhn.redhat.com/errata/RHSA-2009-1222.html http://rhn.redhat.com/errata/RHSA-2009-1223.html https://bugzilla.redhat.com/show_bug.cgi?id=516949 http://secunia.com/advisories/36278 http://secunia.com/advisories/36289 http://secunia.com/advisories/36327