Bug 426365 (CVE-2007-6434)

Summary: CVE-2007-6434 VM/Security: add security hook to do_brk
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: eparis, kernel-maint, sgrubb, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ecaf18c15aac8bb9bed7b7aa0e382fe252e275d5
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-08 21:36:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2007-12-20 14:58:57 UTC 
Description of problem:

Eric Paris has commited upstream the following check:

Given a specifically crafted binary do_brk() can be used to get low pages
available in userspace virtual memory and can thus be used to circumvent
the mmap_min_addr low memory protection.  Add security checks in do_brk().

<cite from CVE description>

Linux kernel 2.6.23 allows local users to create low pages in virtual userspace
memory and bypass mmap_min_addr protection via a crafted executable file that
calls the do_brk function.

</cite>

The patch provided in the upstream commit above (See URL).
Comment 5 Jan Lieskovsky 2007-12-20 15:11:21 UTC 
This bug is filled against the FC8 kernel (2.6.23.1-42.fc8 and later).
This bug (CVE-2007-6434) doesn't affect RHEL kernels from 2.1 up to 5.2.
The affected feature was introduced in the upstream kernel starting from
version 2.6.23. 


Eric Paris about this topic:

CVE-2007-6434 does not apply to RHEL.  It talks about a flaw in my original
implementation of mmap_min_addr upstream.  Since RHEL never implemented this at
all there is no flaw in the original implementation. (mind you we have no
protection, but at least from what I can read about this CVE it isn't applicable
to us at all)

This CVE would apply to fedora which shipped a 2.6.24 kernel.
Comment 6 Chuck Ebbert 2007-12-21 20:41:20 UTC 
To make the mmap protection work right in 2.6.23, commit
7cd94146cd504016315608e297219f9fb7b1413b is needed too. Otherwise programs using
mmap address hints may fail mysteriously if the hint address is below the minimum.
Comment 7 Eugene Teo (Security Response) 2008-07-24 06:38:23 UTC 
Reference: http://lkml.org/lkml/2007/12/4/182
Comment 8 Eric Paris 2009-08-12 14:03:33 UTC 
Can we close this bug, it's been long fixed in fedora....