Vigil@nce - Linux kernel: memory corruption via sendmmsg
December 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can use the sendmmsg() system call, in order to
corrupt the memory, which leads to a denial of service or to code
execution.
Severity: 2/4
Creation date: 09/12/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The sendmmsg() system call is used to send multiple messages at
once to a socket. The kernel then calls __sys_sendmsg() to send
these messages.
However, the __sys_sendmsg() function copies its data to an
address which is controlled by the user (user space).
A local attacker can therefore use the sendmmsg() system call, in
order to corrupt the memory, which leads to a denial of service or
to code execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-corruption-via-sendmmsg-11207