Bug 144530

Summary: random poolsize sysctl handler integer overflow
Product: Red Hat Enterprise Linux 3 Reporter: Josh Bressers <bressers>
Component: kernelAssignee: Ernie Petrides <petrides>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: medium    
Version: 3.0CC: davej, dhoward, jparadis, mjc, peterm, petrides, riel
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-04-22 20:17:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Proposed patch for this issue.
none
Avoid interger overflow in poolsize_strategy() none

Description Josh Bressers 2005-01-07 22:23:53 UTC 
grsecurity announcement to full-disclosure
http://lists.netsys.com/pipermail/full-disclosure/2005-January/030660.html

This issue is low priority.  According to the advisory text "The poolsize bug
requires uid 0, but not anyroot capabilities."
Comment 1 Josh Bressers 2005-01-07 22:23:53 UTC 
Created attachment 109503 [details]
Proposed patch for this issue.
Comment 2 Ernie Petrides 2005-01-11 00:47:06 UTC 
Josh, uid 0 is the definition of "root capability" (at least outside
the context of SElinux).  So, the vulnerability reported at the link
provided in the initial bug comment reduces to "root can overwrite memory"
(which is possible using simpler means than the sysctl() interface).

I'm inclined to close this as WONTFIX, but I'll defer to you and Mark.
At the very least, I wouldn't consider this to be a candidate for a
security errata release.  Also, comment #1 contains an exploit, not
a patch.

Cheers.  -ernie
Comment 3 Josh Bressers 2005-01-11 03:00:40 UTC 
Ernie, I agree.  I filed this bug to have one of you kernel capable people to
verify that this is true.  We won't fix this if that's the case.
Comment 4 Don Howard 2005-01-17 23:50:34 UTC 
Why would we not fix this?
Comment 5 Don Howard 2005-01-17 23:54:14 UTC 
Created attachment 109900 [details]
Avoid interger overflow in poolsize_strategy()
Comment 6 Don Howard 2005-01-17 23:57:25 UTC 
The above patch corrects the system hang that can occur with the
exploit  from comment #1.
Comment 8 Ernie Petrides 2005-04-07 22:27:37 UTC 
Revised patch posted for review on 7-Apr-2005.
Comment 9 Ernie Petrides 2005-04-14 00:24:41 UTC 
A fix for this problem has just been committed to the RHEL3 E5
patch pool this evening (in kernel version 2.4.21-27.0.3.EL).
Comment 10 Ernie Petrides 2005-04-16 01:27:17 UTC 
A fix for this problem has also been committed to the RHEL3 U5
patch pool this evening (in kernel version 2.4.21-32.EL).
Comment 11 Josh Bressers 2005-04-22 20:17:34 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-293.html
Comment 12 Tim Powers 2005-05-18 13:29:04 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-294.html