Vigil@nce - Linux kernel: buffer overflow via ldm_frag_add
June 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can mount a device with a malicious Windows Logical
Disk Manager partition, in order to corrupt the kernel memory,
which leads to a denial of service or to code execution.
Severity: 2/4
Creation date: 06/06/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The fs/partitions/ldm.c file implements the support of Windows
Logical Disk Manager partitions. These partitions are
automatically read when a user connects/mounts a device formatted
with LDM.
The ldm_frag_add() function adds VBLK fields of a LDM partition to
a linked list. The VBLK field is put in an allocated memory area.
The memory size for the first fragment is correctly computed since
VIGILANCE-VUL-10397 (https://vigilance.fr/tree/1/10397). However,
starting from the second fragment, an overflow can still occur.
An attacker can therefore mount a device with a malicious Windows
Logical Disk Manager partition, in order to corrupt the kernel
memory, which leads to a denial of service or to code execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-buffer-overflow-via-ldm-frag-add-10713