Vigil@nce - Linux kernel: use after free via futex_wait
September 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can force the usage a freed memory area in the
futex_wait() function of the Linux kernel, in order to trigger a
denial of service, and possibly to execute code.
– Impacted products: Linux, RHEL
– Severity: 2/4
– Creation date: 10/09/2014
DESCRIPTION OF THE VULNERABILITY
The Linux kernel can be compiled with the support of CONFIG_FUTEX
(Fast Userspace Mutex).
However, when futexes are requeued during the execution of the
futex_wait() function, a counter is reset to zero, and a memory
area is prematurely freed.
A local attacker can therefore force the usage a freed memory area
in the futex_wait() function of the Linux kernel, in order to
trigger a denial of service, and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-use-after-free-via-futex-wait-15315