Vigil@nce - Linux kernel: use after free via aufs
December 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can force the usage of a freed memory area on the
aufs filesystem on Linux kernel, in order to trigger a denial of
service, and possibly to run code.
Impacted products: Linux, Ubuntu.
Severity: 2/4.
Creation date: 20/10/2015.
DESCRIPTION OF THE VULNERABILITY
The Linux kernel can be compiled with the support of aufs
(Advanced Union Filesystem).
The msync() system call writes the content of modified memory
pages on the disk :
int msync(void *addr, size_t len, int flags);
However, when two calls to msync() are done simultaneously, the
kernel frees a memory area before reusing it.
A local attacker can therefore force the usage of a freed memory
area on the aufs filesystem on Linux kernel, in order to trigger a
denial of service, and possibly to run code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-use-after-free-via-aufs-18138