Vigil@nce: Linux kernel, memory corruption via ARM OABI
May 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
On an ARM processor, with the OABI support enabled, a local
attacker can corrupt the kernel memory, in order to create a
denial of service and possibly to execute code.
– Severity: 1/4
– Creation date: 02/05/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
Applications for ARM processors can be compiled with two ABI
(Application Binary Interface):
– OABI (Old ABI), supported by the kernel, if it is compiled with
CONFIG_OABI_COMPAT
– EABI (Embedded ABI)
The semtimedop() system call processes operations on a semaphore:
semtimedop(semid, sops, nsops, timeout);
The sys_oabi_semtimedop() function of the arch/arm/kernel/sys_oabi-compat.c
file implements the semtimedop() system call. However, the number
of operations "nsops" is not checked. An attacker can thus use a
large number, so an integer overflow occurs, and then a short
memory area is allocated, which is overwritten by "sops"
operations.
On an ARM processor, with the OABI support enabled, a local
attacker can therefore corrupt the kernel memory, in order to
create a denial of service and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-corruption-via-ARM-OABI-10612