A local root kernel vulnerability

Commit 8cae8cd89f05 went into the mainline kernel repository on July 19; it puts a limit on the size of buffers allocated in the seq_file mechanism and mentions "int overflow pitfalls". For more information, look to this Qualys advisory describing the vulnerability:

We discovered a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer: by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer.

It may not sound like much, but they claim to have written exploits for a number of Ubuntu, Debian, and Fedora distributions. Updates from distributors are already flowing, and this patch has been fast-tracked into today's stable kernel updates as well.

Comments (28 posted)