Vigil@nce: Linux kernel, denial of service via splice
June 2009 by Vigil@nce
A local attacker can create a denial of service on a process using
splice().
Severity: 1/4
Consequences: denial of service of service
Provenance: user shell
Means of attack: 1 proof of concept
Ability of attacker: specialist (3/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 03/06/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The splice() system call moves data between two file descriptors:
splice(fd_in, off_in, fd_out, off_out, len, flags);
Two locks are used to handle concurrent access.
When the first descriptor is a pipe, the write locking sequence is
invalid, so an interlocking occurs. The file associated to the
second descriptor then becomes unusable.
A local attacker, allowed to write to a file, can therefore block
accesses to this file. This creates a denial of service on
programs using this file.
CHARACTERISTICS
Identifiers: BID-35143, VIGILANCE-VUL-8756
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-splice-8756