Vigil@nce: Linux kernel: denial of service via keyctl (KEYCTL_SESSION_TO_PARENT)
September 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can use keyctl(KEYCTL_SESSION_TO_PARENT) in order to
stop the kernel.
– Severity: 2/4
– Creation date: 03/09/2010
DESCRIPTION OF THE VULNERABILITY
The keyctl_session_to_parent() function of the file
security/keys/keyctl.c handles the system call
KEYCTL_SESSION_TO_PARENT. It allows a process to pass his keyring
to his father.
When keyring transfer, numerous verifications are made. However,
if the father do not have a keyring, a NULL pointer is
dereferenced, stopping the kernel.
An attacker can therefore use keyctl(KEYCTL_SESSION_TO_PARENT) in
order to stop the kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN