Vigil@nce - Linux kernel: denial of service via HugeTLB
April 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can use limits associated to Huge Pages, in order
to force an invalid memory free, which stops the kernel.
Severity: 1/4
Creation date: 25/04/2012
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
Memory pages usually have a size of 4kbytes. In order to limit the
number of memory addresses conversions, the kernel supports large
pages, with a size up to 16Mbytes. The "HugeTLB" table provides
this address conversion feature.
The HugeTLBfs virtual filesystem can be used to create files based
on Huge Pages.
The hugetlbfs_get_quota() and hugetlbfs_put_quota() functions
process associated memory limits. However, they directly access to
hugetlbfs_sb_info structures, which may have been freed by the
lower layer.
A local attacker can use limits associated to Huge Pages, in order
to force an invalid memory free, which stops the kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-HugeTLB-11567