Bug 111305

Summary: Local exploit: Userland can access full kernel memory
Product: [Fedora] Fedora Reporter: Robert Scheck <redhat-bugzilla>
Component: kernelAssignee: Arjan van de Ven <arjanv>
Status: CLOSED NOTABUG QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: high    
Version: 1Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.securityfocus.com/archive/1/346095/2003-11-28/2003-12-04/0
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-12-02 09:37:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Scheck 2003-12-01 21:32:13 UTC 
Description of problem:
Vulnerability  : userland can access full kernel memory 
Problem type   : local
Debian-specific: no
CVE Id(s)      : CAN-2003-0961

Recently multiple servers of the Debian project were compromised 
using a
Debian developers account and an unknown root exploit. Forensics
revealed a burneye encrypted exploit. Robert van der Meulen managed 
to
decrypt the binary which revealed a kernel exploit. Study of the 
exploit
by the RedHat and SuSE kernel and security teams quickly revealed 
that
the exploit used an integer overflow in the brk system call. Using
this bug it is possible for a userland program to trick the kernel 
into
giving access to the full kernel address space. This problem was 
found
in September by Andrew Morton, but unfortunately that was too late 
for
the 2.4.22 kernel release.

http://lists.debian.
org/debian-security-announce/debian-security-announce-2003/msg00212.
html

Version-Release number of selected component (if applicable):
kernel-2.4.22-1.2115.nptl

How reproducible:
Get the exploit or look at debian.org ;-)

Actual results:
Patched in 2.4.23 for the 2.4 tree.

Expected results:
Update to 2.4.23 or backport the patch. And don't forget the patches 
for the older Red Hat versions.

Additional info:
Someone might slap me if I'm wrong, but I can't find any backport in 
the actual Fedora Core 1 kernel...
Comment 1 Robert Scheck 2003-12-01 21:53:15 UTC 
--- linux-2.4.22/mm/mmap.c.orig 2003-12-01 22:45:21.000000000 +0100
+++ linux-2.4.22/mm/mmap.c      2003-12-01 22:47:23.000000000 +0100
@@ -1041,6 +1041,9 @@
        if (!len)
                return addr;

+       if ((addr + len) > TASK_SIZE || (addr + len) < addr)
+               return -EINVAL;
+
        /*
         * mlock MCL_FUTURE?
         */
Comment 2 Mark J. Cox 2003-12-02 09:37:20 UTC 
not vulnerable - patch exists in linux-2.4.18-smallpatches.patch
(2.4.22-1.2115.nptl)