Vigil@nce: Linux kernel, denial of service via fuse_ioctl_copy_user
December 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can use an ioctl on a FUSE filesystem, in order
to stop the kernel.
Severity: 1/4
Consequences: denial of service of computer
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 23/12/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
FUSE (Filesystem in UserSpacE) can be used by a unprivileged user.
The fuse_ioctl_copy_user() function of the fs/fuse/file.c file
manages memory copies from/to the user space. This function uses
(kmap) a memory page. However, the kunmap() function is called
with an invalid pointer, which stops the kernel.
A local attacker can therefore use an ioctl on a FUSE filesystem,
in order to stop the kernel.
CHARACTERISTICS
Identifiers: 549400, VIGILANCE-VUL-9310
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-fuse-ioctl-copy-user-9310