Vigil@nce: Linux kernel, NULL dereference via pipe_x_open
November 2009 by Vigil@nce
A local attacker can use numerous pipes in order to stop the
kernel or to execute privileged code.
– Severity: 2/4
– Consequences: administrator access/rights, denial of service of
computer
– Provenance: user shell
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 03/11/2009
IMPACTED PRODUCTS
– Debian Linux
– Fedora
– Linux kernel
– Red Hat Enterprise Linux
DESCRIPTION OF THE VULNERABILITY
A pipe is a inter process communication mechanism.
The inode->i_pipe structure contains information about a pipe
(number of readers, writers, etc.).
The pipe_read_open(), pipe_write_open() and pipe_rdwr_open()
functions from file linux/fs/pipe.c open a pipe. When opening
multiple pipes, the inode->i_pipe can be NULL. The pipe_x_open()
functions therefore dereference a NULL pointer.
A local attacker can thus use numerous pipes in order to stop the
kernel.
An attacker can also use this vulnerability with
VIGILANCE-VUL-8953 (https://vigilance.fr/tree/1/8953)/VIGILANCE-VUL-8861
(https://vigilance.fr/tree/1/8861) in order to elevate his
privileges.
CHARACTERISTICS
– Identifiers: 530490, BID-36901, CVE-2009-3547, DSA 1927-1, DSA
1928-1, DSA 1929-1, FEDORA-2009-11032, FEDORA-2009-11038,
RHSA-2009:1540-01, RHSA-2009:1541-01, RHSA-2009:1548-01,
RHSA-2009:1550-01, VIGILANCE-VUL-9150
– Url: http://vigilance.fr/vulnerability/Linux-kernel-NULL-dereference-via-pipe-x-open-9150