Vigil@nce: Linux kernel, NULL dereference via nfs4_proc_lock
November 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can use a lock on a NFS file in order to stop the
kernel.
Severity: 2/4
Consequences: administrator access/rights, denial of service of
computer
Provenance: user shell
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 09/11/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The state structure contains the NFS state of a file.
The nfs4_proc_lock() and nfs4_proc_setlk() functions from file
fs/nfs/nfs4proc.c obtain a lock on a file. The state structure can
be NULL. The nfs4_proc_setlk() function therefore dereference a
NULL pointer.
A local attacker can thus use a lock on a NFS file in order to
stop the kernel.
An attacker can also use this vulnerability with
VIGILANCE-VUL-8953 (https://vigilance.fr/tree/1/8953)/VIGILANCE-VUL-8861
(https://vigilance.fr/tree/1/8861) in order to elevate his
privileges.
CHARACTERISTICS
Identifiers: BID-36936, CVE-2009-3726, VIGILANCE-VUL-9180
http://vigilance.fr/vulnerability/Linux-kernel-NULL-dereference-via-nfs4-proc-lock-9180