Vigil@nce: Linux kernel, denial of service via knfsd
May 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When knfsd is used to export files on a shmemfs system, an
attacker can force the kernel to dereference a NULL pointer, which
stops the system.
– Severity: 1/4
– Creation date: 26/05/2010
DESCRIPTION OF THE VULNERABILITY
The "overcommit" feature indicate how the memory is managed
(/proc/sys/vm/overcommit_memory):
0 : heuristic overcommit: a malloc() can success even if all
memory has been used
1 : no overcommit
2 : strict overcommit: the success rate of malloc() is determined
by overcommit_ratio
A shmfs/shmemfs filesystem is used to store files in memory.
The Linux kernel implements a NFS server (knfsd).
When a shmemfs system is exported via NFS, and when the overcommit
is strict, if memory is missing, the pointer current->mm is NULL
and it is dereferenced.
When knfsd is used to export files on a shmemfs system, a local
attacker can therefore deplete the memory, in order to stop the
system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-knfsd-9666