Vigil@nce: Linux kernel, memory disclosure via xfs_ioc_fsgetxattr
September 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can use the XFS_IOC_FSGETXATTR IOCTL of the XFS driver
in order to read kernel data.
– Severity: 1/4
– Creation date: 07/09/2010
DESCRIPTION OF THE VULNERABILITY
The xfs_ioc_fsgetxattr() function of the file
fs/xfs/linux-2.6/xfs_ioctl.c handles the XFS_IOC_FSGETXATTR IOCTL
used to obtain extended attributes of a file on an XFS filesystem.
The copy_to_user() function copies a kernel memory bloc to a user
memory bloc.
The xfs_ioc_fsgetxattr() function uses a local structure
initialized with various information. This structure is then
copied to a caller provided buffer via the copy_to_user()
function. However, not all fields of the local structure are
initialized. Some bytes are therefore leaked to the caller.
An attacker can therefore use the XFS_IOC_FSGETXATTR IOCTL of the
XFS driver in order to read kernel data.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-disclosure-via-xfs-ioc-fsgetxattr-9902