Vigil@nce - FreeBSD: denial of service via pseudofs
November 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can use a pseudofs filesystem, in order to stop
the kernel, and possibly to execute privileged code.
Severity: 2/4
Creation date: 15/11/2010
DESCRIPTION OF THE VULNERABILITY
The pseudofs API is used by procfs and linprocfs filesystems.
The pfs_getextattr() function obtains extended attributes of a
pseudofs filesystem. However, this function calls pfs_unlock() to
unlock a mutex, which is not locked. This error stops the kernel.
On systems where the user can map the memory page at address zero,
the attacker can thus place there a fake mutex, so a null byte
will be written in the kernel memory. In this case, code execution
is possible.
A local attacker can therefore use a pseudofs filesystem, in order
to stop the kernel, and possibly to execute privileged code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/FreeBSD-denial-of-service-via-pseudofs-10122