Linux 2.1.132 and earlier allows local users to cause a denial of service (resource exhaustion) by reading a large buffer from a random device (e.g. /dev/urandom), which cannot be interrupted until the read has completed.
Local users can trigger a denial-of-service (DoS) condition on Linux systems (versions 2.1.132 and earlier) by reading from a random device like /dev/urandom. This vulnerability leads to resource exhaustion, rendering the system unresponsive until the read operation completes, effectively preventing legitimate users from accessing the system.
Step 1: User Initiation: A local user executes a program designed to read a large amount of data from the /dev/urandom device.
Step 2: Kernel Interaction: The program issues a read() system call, requesting data from /dev/urandom.
Step 3: Random Number Generation: The kernel's random number generator (RNG) is invoked to provide the requested data. This process can be CPU-intensive depending on the entropy source and the size of the requested read.
Step 4: Blocking Operation: The read() system call blocks, waiting for the RNG to generate the requested data. The kernel does not allow the read operation to be interrupted.
Step 5: Resource Exhaustion: The read operation continues until the requested buffer is filled. During this time, the system's resources are consumed, potentially leading to a denial-of-service (DoS) condition as other processes are starved of CPU time and memory.
The vulnerability stems from the lack of interruptibility during read operations from random devices in the affected Linux kernel versions. Specifically, when a user process attempts to read a large buffer from /dev/urandom, the kernel's random number generator (RNG) is invoked. The read operation blocks until the requested data is available. Because the read operation is not interruptible, a malicious user can initiate a read of a very large buffer, consuming significant system resources (CPU and memory) and preventing other processes from running. This leads to a resource exhaustion condition, effectively causing a denial-of-service (DoS). The root cause is the design of the kernel's random device driver and the absence of mechanisms to allow for interruption or resource limits during the read operation. The vulnerability does not involve a buffer overflow or race condition directly, but rather a design flaw that allows for uncontrolled resource consumption.