Vigil@nce - Linux kernel: denial of service via CIFS
May 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can create a special file on a CIFS network
shared, in order to lead a denial of service.
Severity: 1/4
Creation date: 09/05/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The kernel implements a CIFS client which can access to CIFS/SMB
network shared.
The system function open() and fcntl() support flag which manage
their operation:
– O_RDONLY : read only
– O_CREAT : file creation
– O_EXCL : new file creation
– O_DIRECT : data are not put in cache
– etc.
The file "fs/cifs/file.c" can manage interface between file system
and CIFS.
The cifs_close() function manage file close process. However, if a
local attacker open a file with the O_DIRECT, the cifs_close()
does not verify that that creates a null pointer dereference,
which causes a denial of service.
A local attacker can therefore create a special file on a CIFS
network shared, in order to lead a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-CIFS-10628