Vigil@nce: Linux kernel, denial of service via ksm_do_scan
June 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can use the KSM feature, in order to stop the
kernel.
– Severity: 1/4
– Creation date: 07/06/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The MADV_MERGEABLE attribute can be set on a memory page with
"madvise(memory_address, memory_size, MADV_MERGEABLE)". In this
case, the KSM (Kernel Samepage Merging) feature of the Linux
kernel searches pages with a content which is identical to the
content of another page, and then suppresses the duplicate.
The ksm_do_scan() function of the mm/ksm.c file calls
scan_get_next_rmap_item() to walk through mergeable memory pages,
which are stored in a linked list. However, if the linked list was
already processed, a NULL pointer is dereferenced.
A local attacker can therefore use the KSM feature, in order to
stop the kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-ksm-do-scan-10715