Vigil@nce: Linux kernel, denial of service via key_replace_session_keyring
June 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can use the keyctl() system call, in order to create a denial of service.
Creation date: 06/06/2011
DESCRIPTION OF THE VULNERABILITY
The keyctl() system call processes user’s keys. The KEYCTL_SESSION_TO_PARENT parameter indicates to give the keyring to the parent process.
The key_replace_session_keyring() function of the security/keys/process_keys.c file replaces the keyring of a process. This function is called when KEYCTL_SESSION_TO_PARENT is used. However, this function does not initialize the "user_ns" field. A read is then done at an invalid memory address.
A local attacker can therefore use the keyctl() system call, in order to create a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN