Bug 512673

Summary: kernel: security: root-exploit if tun not set
Product: Red Hat Enterprise Linux 5 Reporter: Gerrit Slomma <gerrit.slomma>
Component: kernelAssignee: Danny Feng <dfeng>
Status: CLOSED DUPLICATE QA Contact: Red Hat Kernel QE team <kernel-qe>
Severity: medium Docs Contact:
Priority: low    
Version: 5.3   
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-23 01:29:35 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Gerrit Slomma 2009-07-20 06:35:39 EDT
Haven't found this on bugzilla, it is from Friday 2009-07-17, posted on heise security.

Description of problem:

Brad Spengler, the developer behind the Grsecurity project, has published an exploit for a vulnerability in the Tun interface in Linux kernel 2.6.30 and 2.6.18, used in Red Hat Enterprise Linux 5 (RHEL5), which can be exploited by attackers to obtain root privileges. Of particular interest is the fact that the exploit is even able to circumvent security extensions such as SELinux. According to Spengler's report, the vulnerability is only found in these two versions of the kernel. The core of the problem is a normally non-exploitable null pointer dereference, which becomes exploitable due to the GCC's optimisation function.

Version-Release number of selected component (if applicable):

Kernels 2.6.18 with backports (all of RHEL5) and kernels 2.6.30

Expected Result:

Future kernel versions will be compiled using the "fno-delete-null-pointer-checks" option, so that the compiler no longer eliminates checks for null pointers. A debate on lwn.net shows a split in opinion on whether this is GCC optimising code to breaking point, or a programming error.

Additional info:

http://www.h-online.com/security/Root-exploit-for-Linux-kernel-published--/news/113791
http://lists.grok.org.uk/pipermail/full-disclosure/2009-July/069714.html
Comment 1 Danny Feng 2009-07-23 01:29:35 EDT
This security bug is known as CVE-2009-1897, duplicated with bz512284.

*** This bug has been marked as a duplicate of bug 512284 ***