Vigil@nce: Linux kernel, memory corruption via clone
August 2009 by Vigil@nce
A local attacker can use clone() and execve() in order to change 4
bytes in kernel memory.
Severity: 2/4
Consequences: privileged access/rights, denial of service of
computer
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 04/08/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The CLONE_CHILD_SETTID and CLONE_CHILD_CLEARTID options of the
clone() system call are used when the thread identifier (stored on
4 bytes) has to be written in memory. The set_tid_address() system
call changes this memory address (child_tidptr).
When the execve() system call is used, the user memory space is
copied. However, the child_tidptr address is not updated, and can
thus point to an invalid address.
A local attacker can therefore alter 4 bytes of kernel memory, in
order to generate a denial of service or to execute code.
CHARACTERISTICS
Identifiers: BID-35930, VIGILANCE-VUL-8915
http://vigilance.fr/vulnerability/Linux-kernel-memory-corruption-via-clone-8915