Unix and Unix-based select() System Call Overflow Vulnerability

The select() system call may be vulnerable to an overflow condition, possibly allowing attackers to write data past the end of a fixed size buffer.

select() uses arguments of type 'fd_set', which is of a fixed size in many Unix variants. fd_set is used to keep track of open file descriptors.

If a process raises its rlimit for open files past 1024, it is theoretically possible to cause select to change individual bits past the end of the fixed size fds_bits structure. In theory, an attacker may be able to use this vulnerability to cause a denial of service condition, or possibly execute arbitrary code.

It should be noted that rlimits can only be raised by root, and that only processes with rlimits allowing more than 1024 file descriptors would be affected.

This is a theoretical issue, and it has not been confirmed by any vendor. This BID will be updated when further information is released.


Privacy Statement
Copyright 2010, SecurityFocus