Vigil@nce - Linux kernel: denial of service via IOCB_FLAG_RESFD
November 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can use IOCB_FLAG_RESFD, in order to stop the
kernel.
Severity: 1/4
Creation date: 10/11/2010
DESCRIPTION OF THE VULNERABILITY
The Linux kernel supports AIO (Asynchronous Input Output).
The aicb structure contains the aio_resfd field which indicates
the file descriptor of the eventfd where to deliver results. The
IOCB_FLAG_RESFD flag indicates that eventfd was set.
However, if the file descriptor is invalid, an error occurs, and
then the req->ki_filp pointer, which is NULL, is dereferenced.
A local attacker can therefore use IOCB_FLAG_RESFD, in order to
stop the kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-IOCB-FLAG-RESFD-10120