Vigil@nce: Linux kernel, privilege elevation via sys_remap_file_pages
January 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can map a file in memory in order to create a
denial of service and eventually to execute code.
Gravity: 2/4
Consequences: administrator access/rights, denial of service of
computer
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 13/01/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The sys_remap_file_pages() function of mm/fremap.c is called when
a file is mapped in memory.
The get_file() and fput() macros/functions atomically
increment/decrement the number of users of a file. The
sys_remap_file_pages() does not use them.
A local attacker can therefore use a mapped file in order to
corrupt the memory, which leads to a denial of service or to code
execution.
CHARACTERISTICS
Identifiers: BID-33211, CVE-2009-0024, VIGILANCE-VUL-8384
http://vigilance.fr/vulnerability/Linux-kernel-privilege-elevation-via-sys-remap-file-pages-8384