Vigil@nce: Linux kernel, buffer overflow via ldm_frag_add
March 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can mount a device with a malicious Windows Logical
Disk Manager partition, in order to corrupt the kernel memory,
which leads to a denial of service or to code execution.
– Severity: 2/4
– Creation date: 24/02/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The fs/partitions/ldm.c file implements the support of Windows
Logical Disk Manager partitions. These partitions are
automatically read when a user connects/mounts a device formatted
with LDM.
The ldm_frag_add() function adds VBLK fields of a LDM partition to
a linked list. The VBLK field is put in an allocated memory area.
However, the size of this memory area is computed from a
multiplication which can overflow. The VBLK field is thus copied
in a memory area which is too short.
An attacker can therefore mount a device with a malicious Windows
Logical Disk Manager partition, in order to corrupt the kernel
memory, which leads to a denial of service or to code execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-buffer-overflow-via-ldm-frag-add-10397