Vigil@nce: Linux kernel, memory modification under SGI UV
July 2009 by Vigil@nce
On a Silicon Graphics UV computer, a local attacker can write a
null byte in the kernel memory via the sgi-gru driver.
– Severity: 1/4
– Consequences: data creation/edition
– Provenance: user shell
– Means of attack: 1 proof of concept
– Ability of attacker: specialist (3/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: low (1/3)
– Creation date: 22/07/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The Silicon Graphics UV (Ultraviolet) computer has a GRU physical
memory which can be used via the sgi-gru driver of Linux.
The options_write() function of drivers/misc/sgi-gru/gruprocfs.c
is used to access to the GRU via procfs (/proc/gru/debug_options).
By default, only root can write to this file (mode 0644).
The options_write() function ends a character string by adding a
’\0’. The size of the string is checked, however the position of
this character is not checked.
A local attacker, allowed to write to /proc/gru/debug_options, can
therefore write a null byte in the kernel memory.
CHARACTERISTICS
– Identifiers: BID-35753, VIGILANCE-VUL-8880
– Url: http://vigilance.fr/vulnerability/Linux-kernel-memory-modification-under-SGI-UV-8880