Vigil@nce - Linux kernel: memory corruption via ptrace
August 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can write into the Linux kernel memory, in order to
trigger a denial of service, and possibly to run code with kernel
privileges.
Impacted products: Debian, Linux
Severity: 1/4
Creation date: 29/07/2014
DESCRIPTION OF THE VULNERABILITY
The ptrace system call is used by debuggers to control the traced
process.
The command PTRACE_POKEUSR_AREA of the ptrace system call is used
to write to the memory of the traced process. However, on s390
architectures, the address translation mode is not correctly
checked in the kernel function __poke_user of the source file
"arch/s390/kernel/ptrace.c". This allows the caller process to
bypass restrictions about the reachable address space and so
writing to the kernel memory.
An attacker can therefore write into the Linux kernel memory, in
order to trigger a denial of service, and possibly to run code
with kernel privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-corruption-via-ptrace-15104