Contactez-nous Suivez-nous sur Twitter En francais English Language

De la Théorie à la pratique

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Vigil@nce: Linux kernel, buffer overflow of NFSv4 ACLs

September 2008 by Vigil@nce


A local attacker can create an overflow in the nfsd service in order to elevate his privileges.

Gravity: 2/4

Consequences: administrator access/rights

Provenance: user shell

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 05/09/2008

Identifier: VIGILANCE-VUL-8093


- Linux kernel [confidential versions]


The Linux kernel implements a NFS service.

POSIX ACLs of shared files are converted to NFS ACLs, represented as ACEs (Access Control Entries). The init_state() function of fs/nfsd/nfs4acl.c allocates memories areas which contain ACEs of users and groups. However, the allocated size is short of 4*numberacl bytes (size difference between posix_user_ace_state and posix_ace_state structures).

A local attacker, allowed to change POSIX ACLs of files shared by NFS, can therefore define several ACLs, in order to generate an overflow. This overflow leads to code execution in the kernel.


Identifiers: CVE-2008-3915, VIGILANCE-VUL-8093

See previous articles


See next articles