Vigil@nce - Linux kernel: memory corruption via cifs_ioctl_clone
November 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can generate a memory corruption in the
cifs_ioctl_clone() function of the Linux kernel, in order to run
code with kernel privileges.
– Impacted products: Linux.
– Severity: 2/4.
– Creation date: 30/09/2015.
DESCRIPTION OF THE VULNERABILITY
The Linux kernel can be compiled with CONFIG_CIFS_SMB2 and
CONFIG_CIFS_POSIX. In this case, a CIFS filesystem can be mounted
with the option "vers" >= 2.0.
The cifs_ioctl_clone() function implements the BTRFS_IOC_CLONE
ioctl, which clones a file on CIFS (the user must has a write
access to the destination CIFS file). However, if the source file
comes from another filesystem, the cifs_ioctl_clone() function
copies a bad structure, and corrupts the memory.
A local attacker can therefore generate a memory corruption in the
cifs_ioctl_clone() function of the Linux kernel, in order to run
code with kernel privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-corruption-via-cifs-ioctl-clone-17999