Vigil@nce: Linux kernel, denial of service via futex_lock_pi
February 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can create a program using the Priority
Inheritance, in order to stop the kernel.
Severity: 1/4
Consequences: denial of service of computer
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 12/02/2010
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The pthread_mutexattr_init(&mutattr) function initializes
attributes of a mutex. The pthread_mutexattr_setprotocol(&mutattr,
PTHREAD_PRIO_INHERIT) function indicates that the mutex inherits
the priority of its thread. The pthread_mutex_init(..., &mutattr)
function initializes a mutex.
A Priority Inheritance mutex is implemented with a futex (file),
which can be stored on a temporary ext3 filesystem (tmpfs).
The futex_lock_pi() function does not sufficiently decrement the
number of users of a resource. When the tmpfs filesystem is
unmounted, a fatal error then occurs in ext3_put_super().
A local attacker can thus create a program using the Priority
Inheritance and tmpfs, in order to stop the kernel.
CHARACTERISTICS
Identifiers: 14256, VIGILANCE-VUL-9448
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-futex-lock-pi-9448