Vigil@nce - Linux kernel: memory corruption via tmpfs mempolicy
March 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can mount a tmpfs filesystem with mempolicy, then
remount it, in order to use a freed memory area, which leads to a
denial of service and possibly to code execution.
Impacted products: Fedora, Linux
Severity: 2/4
Creation date: 26/02/2013
DESCRIPTION OF THE VULNERABILITY
The tmpfs filesystem is used to store files in memory.
When the kernel is compiled with the CONFIG_NUMA (Numa Memory
Allocation and Scheduler Support) option, the mpol option of the
mount command defines the memory management policy for tmpfs.
The shmem_remount_fs() function of the mm/shmem.c file processes
mpol. However, if the filesystem is remounted without mpol, a
memory area previously freed is used.
A local attacker can therefore mount a tmpfs filesystem with
mempolicy, then remount it, in order to use a freed memory area,
which leads to a denial of service and possibly to code execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-corruption-via-tmpfs-mempolicy-12462