Vigil@nce - Linux kernel: memory corruption via kiocb
February 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can create an error in the kiocb processing, in
order to stop the system, and possibly to execute code.
Severity: 2/4
Creation date: 18/01/2012
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The Linux kernel supports AIO (Asynchrounous IO) in order to
transfer data efficiently.
The kiocb structure of the kernel stores information on AIO. Since
version 3.2, a user can request the usage of a group of kiocb
("batch"). However, if an error occurs in the processing of one of
the kiocb, the kiocb_batch_free() function frees a memory area
which is still used.
A local attacker can therefore create an error in the kiocb
processing, in order to stop the system, and possibly to execute
code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-corruption-via-kiocb-11301