Vigil@nce: Linux kernel, denial of service via ipcs
March 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can use the ipcs command to stop the system.
Gravity: 1/4
Consequences: denial of service of computer
Provenance: user shell
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: low (1/3)
Creation date: 06/03/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The CONFIG_SHMEM configuration directive indicates to use an
internal file system (shmem) to handle the shared memory. It is
enabled by default. When CONFIG_SHMEM is disabled, the memory is
handled via ramfs.
When shmem is used, the shm_get_stat() function has to use a
"shmem_inode_info" structure. Otherwise, this structure must not
be used.
However, when CONFIG_SHMEM is disabled, the shm_get_stat()
function uses a spin_lock on the "shmem_inode_info" structure. As
this structure is not valid in ramfs mode, this error panics the
kernel.
The shm_get_stat() function is used by the ipcs command
(statistics on IPC).
A local attacker can therefore call the ipcs command to stop the
system, when CONFIG_SHMEM is disabled.
CHARACTERISTICS
Identifiers: VIGILANCE-VUL-8516
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-ipcs-8516