Security-Alerts mailing list archive (security-alerts@yandex-team.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[security-alerts] FW: [SA28835] Linux Kernel "vmsplice()" System Call Vulnerabilities
>
> ----------------------------------------------------------------------
>
> TITLE:
> Linux Kernel "vmsplice()" System Call Vulnerabilities
>
> SECUNIA ADVISORY ID:
> SA28835
>
> VERIFY ADVISORY:
> http://secunia.com/advisories/28835/
>
> CRITICAL:
> Less critical
>
> IMPACT:
> Exposure of sensitive information, Privilege escalation, DoS
>
> WHERE:
> Local system
>
> OPERATING SYSTEM:
> Linux Kernel 2.6.x
> http://secunia.com/product/2719/
>
> DESCRIPTION:
> Some vulnerabilities have been reported in the Linux Kernel, which
> can be exploited by malicious, local users to cause a DoS (Denial of
> Service), disclose potentially sensitive information, and gain
> escalated privileges.
>
> The vulnerabilities are caused due to the missing verification of
> parameters within the "vmsplice_to_user()",
> "copy_from_user_mmap_sem()", and "get_iovec_page_array()" functions
> in fs/splice.c before using them to perform certain memory
> operations. This can be exploited to e.g. read or write to arbitrary
> kernel memory via a specially crafted "vmsplice()" system call.
>
> Successful exploitation allows attackers to e.g. gain "root"
> privileges.
>
> Note: The affected system call first appeared in version 2.6.17.
>
> SOLUTION:
> Update to version 2.6.23.16 or 2.6.24.2.
>
> PROVIDED AND/OR DISCOVERED BY:
> Wojciech Purczynskiof iSEC Security Research and qaaz
>
> ORIGINAL ADVISORY:
> iSEC Security Research:
> http://www.isec.pl/vulnerabilities/isec-0026-vmsplice_to_kernel.txt
>
> qaaz:
> http://milw0rm.com/exploits/5092
> http://milw0rm.com/exploits/5093
>
|