Vigil@nce - Linux kernel: use after free via VFS Symlink
July 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a freed memory area in VFS via a Symlink, in
order to trigger a denial of service in the Linux kernel, and
possibly to execute code.
Impacted products: Linux
Severity: 1/4
Creation date: 24/07/2014
DESCRIPTION OF THE VULNERABILITY
The umount system call is used to unmount a filesystem.
Usually a symbolic link can not be used as a mount point. However,
the source file "fs/namei.c" uselessly increments a reference
counter, which prevents the umount operation. So resources are not
freed, which can lead to the use of a freed memory area.
An attacker can therefore use a freed memory area in VFS via a
Symlink, in order to trigger a denial of service in the Linux
kernel, and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-use-after-free-via-VFS-Symlink-15094