Vigil@nce: Linux kernel, memory corruption via FASYNC
January 2010 by Vigil@nce
A local attacker can use an asynchronous file descriptor, in order
to corrupt the kernel memory, which generates a denial of service
or leads to code execution.
– Severity: 2/4
– Consequences: administrator access/rights, denial of service of
computer
– Provenance: user shell
– Means of attack: 1 proof of concept
– Ability of attacker: specialist (3/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 15/01/2010
IMPACTED PRODUCTS
– Linux kernel
– Red Hat Enterprise Linux
DESCRIPTION OF THE VULNERABILITY
The FIOASYNC ioctl is used to configure a file descriptor in
asynchronous mode. The FASYNC flag is then set in the "file"
structure used by the kernel. The kernel will send the SIGIO
signal to the program when data will be available.
Asynchronous file descriptors are stored by fasync_helper() in a
linked list containing fasync_struct structures. When the file
descriptor is locked, it is also stored in the file_lock.fl_fasync
linked list.
When the file descriptor is closed, it is removed from the first
list, but not from the second one. The kernel then uses an invalid
pointer in send_sigio().
A local attacker can therefore use an asynchronous file
descriptor, in order to corrupt the kernel memory, which generates
a denial of service or leads to code execution.
CHARACTERISTICS
– Identifiers: BID-37806, CVE-2009-4141, RHSA-2010:0046-01,
VIGILANCE-VUL-9355
– Url: http://vigilance.fr/vulnerability/Linux-kernel-memory-corruption-via-FASYNC-9355