Vigil@nce: Linux kernel, denial of service via led_proc_write
August 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
On a PA RISC system, a local attacker can access to /proc/pdc/led,
in order to stop the kernel.
– Severity: 1/4
– Creation date: 03/08/2010
DESCRIPTION OF THE VULNERABILITY
PA RISC systems have display LEDs and a LCD screen.
The /proc/pdc/led interface is used to enable or disable 3 LEDs.
For example :
echo "0 1 1" > /proc/pdc/led
When the user writes to /proc/pdc/led, the led_proc_write()
function of the drivers/parisc/led.c file is called. This function
uses a stack array to store the received string. However, the size
of this array equals to the size of the "size" parameter that the
user uses in the write() function. If an attacker uses a
"write(/proc/pdc/led, ..., large_value)", then the kernel can use
all its stack for this array.
On a PA RISC system, a local attacker can therefore access to
/proc/pdc/led, in order to stop the kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-led-proc-write-9809