Vigil@nce - Linux kernel: memory corruption via pipe_iov_copy
August 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can generate a memory corruption in pipe_iov_copy
functions of the Linux kernel, in order to trigger a denial of
service, and possibly to execute code.
Impacted products: Debian, Linux, RHEL, SUSE Linux Enterprise
Desktop, SLES, Ubuntu
Severity: 2/4
Creation date: 03/06/2015
DESCRIPTION OF THE VULNERABILITY
The Linux kernel implements Unix pipes using the virtual PipeFS
filesystem (fs/pipe.c).
The pipe reading/writing functions use pipe_iov_copy_to_user() and
pipe_iov_copy_from_user() from fs/pipe.c. However, if the iovec
size is incoherent, these functions perform copies on invalid
memory areas.
A local attacker can therefore generate a memory corruption in
pipe_iov_copy functions of the Linux kernel, in order to trigger a
denial of service, and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-corruption-via-pipe-iov-copy-17038