Vigil@nce: Linux kernel, memory reading via sys_move_pages
February 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can use the move_pages() system call, in order to
read kernel memory pages.
Severity: 1/4
Consequences: data reading
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 08/02/2010
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The NUMA (Non-Uniform Memory Access) architecture is used on
multi-processors systems, where each node has its own memory area.
The move_pages() system call moves pages to another node:
move_pages(pid, nr_pages, address, nodes, ...);
However, the nodes value is not checked. An attacker can therefore
use a large value or a negative value, to force the kernel to move
pages to a zone which can be read.
A local attacker can thus use the move_pages() system call, in
order to read kernel memory pages.
CHARACTERISTICS
Identifiers: BID-38144, CVE-2010-0415, VIGILANCE-VUL-9417
http://vigilance.fr/vulnerability/Linux-kernel-memory-reading-via-sys-move-pages-9417