Vigil@nce: Linux, bypassing the CPU limit of SELinux
February 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
The kernel with SELinux does not correctly define the CPU resource
limit of a program.
Severity: 1/4
Consequences: denial of service of computer
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 11/02/2010
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The linux_binprm structure stores arguments used when a program is
loaded.
The selinux_bprm_committing_creds() function of the
security/selinux/hooks.c file updates the limit of program
resources. This function calls update_rlimit_cpu() to define the
CPU limit. However, an incorrect variable is used, so the defined
limit is invalid.
The kernel with SELinux therefore does not correctly define the
CPU resource limit of a program.
CHARACTERISTICS
Identifiers: BID-38175, VIGILANCE-VUL-9442
http://vigilance.fr/vulnerability/Linux-bypassing-the-CPU-limit-of-SELinux-9442