Vigil@nce: Linux kernel, buffer overflow via xfs_acl_from_disk
January 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker, who is allowed to mount an XFS filesystem, can
use a high or negative number of ACLs, in order to create an
overflow, leading to a denial of service or to code execution.
– Severity: 2/4
– Creation date: 11/01/2012
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The Linux kernel supports XFS filesystems.
The xfs_acl_from_disk() function of the fs/xfs/xfs_acl.c file
reads ACLs indicated on an XFS filesystem. However, if the number
of ACL is larger than XFS_ACL_MAX_ENTRIES (25), or is negative,
the xfs_acl_from_disk() function corrupts the memory.
A local attacker, who is allowed to mount an XFS filesystem, can
therefore use a high or negative number of ACLs, in order to
create an overflow, leading to a denial of service or to code
execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-buffer-overflow-via-xfs-acl-from-disk-11274