Vigil@nce - Linux kernel: NULL pointer dereference via User Namespace Mount
June 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can force a NULL pointer to be dereferenced in User
Namespace Mount of the Linux kernel, in order to trigger a denial
of service.
Impacted products: Fedora, Linux
Severity: 1/4
Creation date: 01/06/2015
DESCRIPTION OF THE VULNERABILITY
The User Namespace (CONFIG_USER_NS) feature provides jailed
environments.
However, when the used triggers an unmount error, the
fs/namespace.c file does not check if a pointer is NULL, before
using it.
An attacker can therefore force a NULL pointer to be dereferenced
in User Namespace Mount of the Linux kernel, in order to trigger a
denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN