Vigil@nce - Linux kernel: memory corruption via build_unc_path_to_root
September 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can generate a memory corruption in the
build_unc_path_to_root() function of the Linux kernel, in order to
trigger a denial of service, and possibly to execute code.
Impacted products: Linux
Severity: 2/4
Creation date: 19/08/2013
DESCRIPTION OF THE VULNERABILITY
The kernel can be compiled with the support of CIFS (CONFIG_CIFS)
and DFS (Distributed File Systems, CONFIG_CIFS_DFS_UPCALL).
In this case, the build_unc_path_to_root() function of the
fs/cifs/connect.c file is called when the local client connects to
the remote CIFS server, in order to mount the share.
However, if the server provides a special DFS Referral Name, one
byte is written after the end of the memory area.
A local attacker can therefore generate a memory corruption in the
build_unc_path_to_root() function of the Linux kernel, in order to
trigger a denial of service, and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-corruption-via-build-unc-path-to-root-13287