Vigil@nce: NetBSD, denial of service via mount_get_vfsops
January 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can mount a VFS filesystem, in order to stop the
kernel.
Severity: 1/4
Consequences: denial of service of computer
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 13/01/2010
IMPACTED PRODUCTS
– NetBSD
DESCRIPTION OF THE VULNERABILITY
The mount() system call is used to mount a filesystem:
mount(type, dir, flags, data, data_len);
The "data" parameter can contain additional fields, which are used
depending on the filesystem type.
The mount_get_vfsops() function of the vfs_syscalls.c (VFS) file
directly uses the "fstype" field (instead of using its copy done
in kernel memory). However, if the attacker frees this field
before its usage, the kernel uses an invalid pointer, which stops
it.
A local attacker can therefore mount a VFS filesystem, in order to
stop the kernel.
CHARACTERISTICS
Identifiers: BID-37767, NetBSD-SA2010-001, VIGILANCE-VUL-9344
http://vigilance.fr/vulnerability/NetBSD-denial-of-service-via-mount-get-vfsops-9344