Vigil@nce: Linux kernel, NULL dereference in tun_chr_poll
July 2009 by Vigil@nce
A local attacker can generate a NULL pointer dereference in the
tun_chr_poll() function of the kernel, in order to generate a
denial of service or to execute code.
– Severity: 1/4
– Consequences: user access/rights, denial of service of computer
– Provenance: user shell
– Means of attack: 1 proof of concept and 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 20/07/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The /dev/net/tun device is used to create tunnels. When a user
calls the poll() function (waiting for events) on this device, the
kernel uses tun_chr_poll().
However, when there is no event, a NULL pointer in dereferenced in
tun_chr_poll(). This error only impacts kernels versions 2.6.30
and 2.6.30.1.
A local attacker can therefore create a denial of service.
Moreover, the VIGILANCE-VUL-8861 (https://vigilance.fr/tree/1/8861)
vulnerability can be used to obtain kernel privileges.
CHARACTERISTICS
– Identifiers: BID-35724, CVE-2009-1897, VIGILANCE-VUL-8873
Pointed by: VIGILANCE-VUL-8861, VIGILANCE-VUL-8873
– Url: http://vigilance.fr/vulnerability/Linux-kernel-NULL-dereference-in-tun-chr-poll-8873