Vigil@nce - Linux kernel: use after free via IPC_RMID
December 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a freed memory area via IPC_RMID in the Linux
kernel, in order to trigger a denial of service, and possibly to
execute code.
Impacted products: Linux
Severity: 2/4
Creation date: 13/12/2013
DESCRIPTION OF THE VULNERABILITY
The shmctl() function controls a shared memory segment. The
IPC_RMID operation deletes this segment.
However, if shmctl(IPC_RMID) and another shmctl() are called
simultaneously, locks are not correctly managed.
An attacker can therefore use a freed memory area via IPC_RMID in
the Linux kernel, in order to trigger a denial of service, and
possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-use-after-free-via-IPC-RMID-13943