Vigil@nce: Linux kernel, denial of service via PI State
February 2010 by Vigil@nce
A local attacker can create a multithreaded program using the
Priority Inheritance, in order to stop the kernel.
– Severity: 1/4
– Consequences: denial of service of computer
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 09/02/2010
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The pthread_mutexattr_init(&mutattr) function initializes
attributes of a mutex. The pthread_mutexattr_setprotocol(&mutattr,
PTHREAD_PRIO_INHERIT) function indicates that the mutex inherits
the priority of its thread. The pthread_mutex_init(..., &mutattr)
function initializes a mutex.
A local attacker can create a thread using PTHREAD_PRIO_INHERIT,
in order to initialize the owner (of type task_struct) field of
the pi_state (of type futex_pi_state) structure. The attacker can
then stop this thread, which forces the owner field to NULL. Then,
by recalling pthread_mutex_init(), and by unlocking it, the
pi_state->owner field (which is NULL) is dereferenced.
A local attacker can thus create a multithreaded program using the
Priority Inheritance, in order to stop the kernel.
CHARACTERISTICS
– Identifiers: VIGILANCE-VUL-9419
– Url: http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-PI-State-9419