Bug 512284 (CVE-2009-1897)

Summary: CVE-2009-1897 kernel: tun/tap: Fix crashes if open() /dev/net/tun and then poll() it
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dhoward, dkovalsk, gregswift, herbert.xu, jlieskov, jmorris, jpirko, jskrabal, liko, lwang, ma, mcepl, mjc, paul, tao, vfalico
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,source=fulldisclosure,reported=20090717,public=20090409,cvss2=6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-21 13:00:54 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 512285, 512286    
Bug Blocks:    

Description Eugene Teo (Security Response) 2009-07-16 23:48:45 EDT
Reported by Eugene Kapun:
Fix NULL pointer dereference in tun_chr_pool() introduced by commit 33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 ("tun: Limit amount of queued packets per device") and triggered by this code:

    int fd;
    struct pollfd pfd;
    fd = open("/dev/net/tun", O_RDWR);
    pfd.fd = fd;
    pfd.events = POLLIN | POLLOUT;
    poll(&pfd, 1, 0);

Upstream commit:

Comment 5 Eugene Teo (Security Response) 2009-07-17 07:23:57 EDT
The Red Hat Security Response Team is aware of the Linux kernel local privilege escalation exploit that is published in a number of security mailing lists and websites. The flaw identified by CVE-2009-1897 is a null pointer dereference vulnerability in the tun_chr_poll() function of the Linux kernel, introduced via the upstream git commit 33dccbb0. This flaw affects kernel versions between 2.6.30-rc1 and 2.6.31-rc3, and was addressed via the upstream git commit 3c8a9c63.

The flaw affects only the Red Hat Enterprise Linux 5.4 beta kernel as the upstream git commit 33dccbb0 was backported to the kernel as a normal bug fix. We will be addressing this flaw in a future update to the beta kernel. It is also possible to mitigate this flaw by ensuring that the permissions for /dev/net/tun is restricted to root only.

The default SELinux policy, in Red Hat Enterprise Linux 5, allows processes in the unconfined domains to map low memory in the kernel. The exploit did not bypass the null pointer dereference protection in the Linux kernel. However, we are updating the selinux-policy package to change this default configuration, so that it prevents the unconfined processes from being able to map the low memory. See bug 511143 for more information.

This issue does not affect any other released kernel in any Red Hat product.

In addition, future updates to Red Hat Enterprise Linux kernels may include the '-fno-delete-null-pointer-checks' gcc CFLAGS. See:

We would like to thank Brad Spengler for bringing these issues to our attention.
Comment 13 Mark J. Cox (Product Security) 2009-07-20 04:54:54 EDT
The CVSS 'access complexity' metric was originally set to AC:M but I incorrectly changed it to AC:L. I've now put it back to AC:M.  This is because by default /dev/net/tun is restricted to root only access, but it's probable that a system owner could have changed the permissions.
Comment 15 Danny Feng 2009-07-23 01:29:35 EDT
*** Bug 512673 has been marked as a duplicate of this bug. ***
Comment 16 Fedora Update System 2009-07-29 18:25:53 EDT
kernel- has been submitted as an update for Fedora 11.