Vigil@nce: Linux kernel, memory corruption via do_io_submit
September 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can use io_submit() in order to corrupt the
kernel memory, which leads to a denial of service and possibly to
code execution.
– Severity: 2/4
– Creation date: 21/09/2010
DESCRIPTION OF THE VULNERABILITY
The io_submit() system call is used to read/write asynchronously
from/to a file:
io_submit(context, size_of_array, array_of_blocks);
It calls the do_io_submit() function of the file fs/aio.c.
However, this function does not check if the following
multiplication overflows:
size_of_array * size_of_a_block
When the size_of_array parameter is too large, the memory is then
corrupted.
A local attacker can therefore use io_submit() in order to corrupt
the kernel memory, which leads to a denial of service and possibly
to code execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-corruption-via-do-io-submit-9959