Vigil@nce - Linux kernel: memory corruption via cifs_iovec_write
March 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can generate a memory corruption in the
cifs_iovec_write() function of the Linux kernel, in order to
trigger a denial of service, and possibly to execute code.
– Impacted products: Fedora, Linux
– Severity: 2/4
– Creation date: 17/02/2014
DESCRIPTION OF THE VULNERABILITY
The Linux kernel supports filesystems of type CIFS.
The writev() function writes several memory areas. Each one is
specified with an iov structure:
struct iovec
void *iov_base; /* Starting address. */
size_t iov_len; /* Size of the memory area. */
;
The cifs_iovec_write() function of the fs/cifs/file.c file writes
the iov on a CIFS filesystem. However, in "uncached" mode, the
iov_base address is not fully checked.
A local attacker can therefore generate a memory corruption in the
cifs_iovec_write() function of the Linux kernel, in order to
trigger a denial of service, and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-corruption-via-cifs-iovec-write-14265