Vigil@nce: Linux kernel, denial of service via key_replace_session_keyring
June 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can use the keyctl() system call, in order to
create a denial of service.
– Severity: 1/4
– Creation date: 06/06/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The keyctl() system call processes user’s keys. The
KEYCTL_SESSION_TO_PARENT parameter indicates to give the keyring
to the parent process.
The key_replace_session_keyring() function of the
security/keys/process_keys.c file replaces the keyring of a
process. This function is called when KEYCTL_SESSION_TO_PARENT is
used. However, this function does not initialize the "user_ns"
field. A read is then done at an invalid memory address.
A local attacker can therefore use the keyctl() system call, in
order to create a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN