Vigil@nce: Linux kernel, memory corruption via do_exit
December 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can create an error calling BUG(), in order to
alter a value located in kernel memory.
– Severity: 2/4
– Creation date: 03/12/2010
DESCRIPTION OF THE VULNERABILITY
The set_fs(KERNEL_DS) call indicates that the code is run from the
kernel (no memory segment limit). The set_fs(USER_DS) call
indicates that the code is run from the user space.
The access_ok() function checks if a memory address is located in
the user space. This function is disabled when KERNEL_DS was
previously defined.
When a process created a kernel error (such as a BUG() call), the
clear_child_tid() function is called from do_exit(). This function
calls access_ok() before writing to memory. However, if KERNEL_DS
was defined, clear_child_tid() can write to the kernel space.
A local attacker can therefore create an error calling BUG(), in
order to alter a value located in kernel memory.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-corruption-via-do-exit-10176