Problem Description:
The rtsock_msg_buffer() function serializes routing information
into a buffer. As a part of this, it copies sockaddr structures
into a sockaddr_storage structure on the stack. It assumes that
the source sockaddr length field had already been validated, but
this is not necessarily the case, and it's possible for a malicious
userspace program to craft a request which triggers a 127-byte
overflow.
In practice, this overflow immediately overwrites the canary for
the rtsock_msg_buffer() stack frame, resulting in a panic once the
function returns.
Impact:
The bug allows an unprivileged user to crash the kernel by
triggering a stack buffer overflow in rtsock_msg_buffer(). In
particular, the overflow will corrupt a stack canary value that is
verified when the function returns; this mitigates the impact of
the stack overflow by triggering a kernel panic.
Other kernel bugs may exist which allow userspace to find the canary
value and thus defeat the mitigation, at which point local privilege
escalation may be possible.