Vigil@nce: Linux kernel, denial of service via PaX
March 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When the PaX patch is installed on the Linux kernel, a local
attacker can generate an infinite loop.
– Severity: 1/4
– Creation date: 22/03/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The PaX patch restricts the access to kernel memory pages.
The mmap() system call positions a file in memory. The
MAP_GROWSDOWN and MAP_GROWSUP flags indicates the growing
direction of memory addresses (DOWN means as a stack).
When a program uses a mmap() MAP_GROWSDOWN, followed by a normal
mmap(), an infinite loop occurs in the arch_get_unmapped_area_topdown()
function of PaX.
When the PaX patch is installed on the Linux kernel, a local
attacker can therefore generate a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-PaX-10472