Vigil@nce: Linux kernel, denial of service via find_keyring_by_name
April 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can use keyctl, in order to force the kernel to
use an invalid memory area, which stops it.
– Severity: 1/4
– Creation date: 27/04/2010
DESCRIPTION OF THE VULNERABILITY
The keyctl feature is used by users and processes to store keys in
the kernel:
– KEY_SPEC_PROCESS_KEYRING : current process
– KEY_SPEC_USER_SESSION_KEYRING : current shell (session)
– etc.
The find_keyring_by_name() function searches a key from its name.
However, if the user recently closed a session, this function can
return a key recently freed. Its usage stops the kernel.
A local attacker can therefore use keyctl, in order to force the
kernel to use an invalid memory area, which stops it.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-find-keyring-by-name-9616