Vigil@nce: Linux kernel, memory reading via an OSF partition
March 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can insert a device with a malicious OSF
partition, in order to obtain values coming from the kernel memory.
– Severity: 1/4
– Creation date: 15/03/2011
IMPACTED PRODUCTS
- Linux kernel
DESCRIPTION OF THE VULNERABILITY
The osf_partition() function of the fs/partitions/osf.c file reads
an OSF partition table.
An OSF partition table is stored as a block of 274 bytes ended by
an array containing at most 8 partitions. The number of partitions
is indicated in the d_npartitions field. However, if this field
indicates more than 8 partitions, the kernel tries to read them
after the end of the 274 bytes block. If memory data located after
this block are invalid, the kernel displays an error message
containing the p_offset and p_size fields (8 bytes).
A local attacker can therefore insert a device with a malicious
OSF partition, in order to obtain values coming from the kernel
memory.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-reading-via-an-OSF-partition-10456