Vigil@nce - Linux kernel: memory corruption via ioctl_file_dedupe_range
October 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can generate a memory corruption via
ioctl_file_dedupe_range() on the Linux kernel, in order to trigger
a denial of service, and possibly to run code.
– Impacted products: Linux.
– Severity: 2/4.
– Creation date: 01/08/2016.
DESCRIPTION OF THE VULNERABILITY
The Linux kernel implements the FIDEDUPERANGE ioctl, to share file
sections.
The ioctl_file_dedupe_range() function checks the dest_count
parameter of the file_dedupe_range structure. However, this
function then reuses the value from the user space area, which may
have been modified after the check.
A local attacker can therefore generate a memory corruption via
ioctl_file_dedupe_range() on the Linux kernel, in order to trigger
a denial of service, and possibly to run code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Linux-kernel-memory-corruption-via-ioctl-file-dedupe-range-20264