Vigil@nce - Linux kernel: NULL pointer dereference via futex_wait_requeue_pi
May 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can dereference a NULL pointer in the
futex_wait_requeue_pi() function of the Linux kernel, in order to
trigger a denial of service.
Impacted products: Linux
Severity: 1/4
Creation date: 14/05/2014
DESCRIPTION OF THE VULNERABILITY
The Linux kernel can be compiled with the support of CONFIG_FUTEX
(Fast Userspace Mutex).
The FUTEX_WAIT_REQUEUE_PI operation puts the current thread to
sleep on a Non-Priority-Inheritance wait queue, and then waits to
be requeued onto a Priority-Inheritance. However, if both
addresses are the same, the futex_wait_requeue_pi() function does
not check if a pointer is NULL, before using it.
An attacker can therefore dereference a NULL pointer in the
futex_wait_requeue_pi() function of the Linux kernel, in order to
trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN