Vigil@nce - Linux kernel: use after free via vhost_net_flush
July 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a freed memory area in the vhost_net_flush()
function of the Linux kernel, in order to trigger a denial of
service, and possibly to execute code.
Impacted products: Linux
Severity: 2/4
Creation date: 16/07/2013
DESCRIPTION OF THE VULNERABILITY
The vhost-net driver implements network features in a virtualized
environment.
The vhost_net_ubuf_put_and_wait() function of the
drivers/vhost/net.c file frees the memory of its parameter.
However, the vhost_net_flush() function continues to use this
pointer.
The vulnerability attack vector is unknown.
An attacker can therefore use a freed memory area in the
vhost_net_flush() function of the Linux kernel, in order to
trigger a denial of service, and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-use-after-free-via-vhost-net-flush-13126