This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 606611 (CVE-2010-2240)

Summary: CVE-2010-2240 kernel: mm: keep a guard page below a grow-down stack segment
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Andrea Arcangeli <aarcange>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aarcange, amyagi, arozansk, bhu, botsch, bressers, bugreports2005, davej, davids, degts, dfeng, dhoward, gerrit.slomma, jcm, jkacur, jlieskov, jolsa, jpirko, jweiner, kem, kmcmartin, leo.jaaskelainen, lgoncalv, liko, lwang, lwoodman, matt, mjc, mmcgrath, ned, peter.hutterer, plyons, pmatouse, rcvalle, riel, security-response-team, stephenf, tbaumann, tburke, tcallawa, t.h.amundsen, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20100813,source=vendor-sec,reported=20100621,cvss2=7.2/AV:L/AC:L/Au:N/C:C/I:C/A:C,cwe=CWE-119
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 04:03:04 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 607853, 607854, 607855, 607856, 607857, 607858, 607859, 625364, 625634, 625635, 625636    
Bug Blocks:    

Description Eugene Teo (Security Response) 2010-06-22 00:27:23 EDT
Description of problem:
When an application has a stack overflow, the stack could silently overwrite other memory mapped area instead of causing a segmentation fault.

Acknowledgements:

Red Hat would like to thank the X.Org security team for reporting this issue. Upstream acknowledges Rafal Wojtczuk as the original reporter.
Comment 24 Eugene Teo (Security Response) 2010-08-12 21:44:06 EDT
Linus has committed a fix for this issue:
http://git.kernel.org/linus/320b2b8de12698082609ebbc1a17165727f4c893
Comment 30 Chuck Ebbert 2010-08-15 18:07:13 EDT
Fixed in 2.6.32.19, 2.6.34.4 and 2.6.35.2. Fixes are in the review stage for 2.6.27.52
Comment 36 errata-xmlrpc 2010-08-17 11:52:31 EDT
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2010:0631 https://rhn.redhat.com/errata/RHSA-2010-0631.html
Comment 37 Eugene Teo (Security Response) 2010-08-17 23:17:17 EDT
From the reporter,
Blog: http://theinvisiblethings.blogspot.com/2010/08/skeletons-hidden-in-linux-closet.html
Paper: http://www.invisiblethingslab.com/resources/misc-2010/xorg-large-memory-attacks.pdf

It was reported that this can be exploited with an X server. It is possible to mitigate this by disabling MIT-SHM extension as indicated in section 3.2 of the provided paper. However, this workaround is only applied to this specific scenario.
Comment 41 Chuck Ebbert 2010-08-19 06:57:53 EDT
All the fixes are queued as of 2.6.27.52-rc3, 2.6.32.20-rc1, 2.6.34.5-rc1 and 2.6.35.3-rc1. They're also in the latest F12, 13 and 14 updates submitted for testing.
Comment 47 bugreports2005 2010-08-23 03:47:10 EDT
Is this resolved in the current RHEL5 kernel?
Comment 49 Dave Botsch 2010-08-23 14:06:31 EDT
RHEL4?
Comment 51 Eugene Teo (Security Response) 2010-08-23 20:47:56 EDT
(In reply to comment #47)
> Is this resolved in the current RHEL5 kernel?

(In reply to comment #49)
> RHEL4?

Not yet to both. We are working on updates to address this issue. As you can see in comment #43, there are additional fixes available two days ago, that we will also need to backport for issues found in the official fixes. Thanks.
Comment 54 bugreports2005 2010-08-27 02:23:19 EDT
Is there an ETA on a fix? We are getting quite nervous.
Comment 55 errata-xmlrpc 2010-08-30 09:11:11 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.3.Z - Server Only

Via RHSA-2010:0660 https://rhn.redhat.com/errata/RHSA-2010-0660.html
Comment 56 errata-xmlrpc 2010-08-30 09:43:31 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0661 https://rhn.redhat.com/errata/RHSA-2010-0661.html
Comment 57 advax 2010-08-30 18:07:30 EDT
Reading the original paper
http://cansecwest.com/core05/memory_vulns_delalleau.pdf, it seems that guard pages may be inadequate, especially if programs are compiled without gcc -fstack-check, as applications can control their own stack pointer.

Linus' commit 320b2b8de12698082609ebbc1a17165727f4c893
says it's a minimal patch to add a guard page below a grow-down stack segment.

Am I missing something ? Should X be recompiled with -fstack-check ?
Comment 58 Eugene Teo (Security Response) 2010-08-30 21:38:59 EDT
(In reply to comment #57)
> Reading the original paper
> http://cansecwest.com/core05/memory_vulns_delalleau.pdf, it seems that guard
> pages may be inadequate, especially if programs are compiled without gcc
> -fstack-check, as applications can control their own stack pointer.
> 
> Linus' commit 320b2b8de12698082609ebbc1a17165727f4c893
> says it's a minimal patch to add a guard page below a grow-down stack segment.
> 
> Am I missing something ? Should X be recompiled with -fstack-check ?

For the userspace, please follow-up in bug 615330. Thanks.
Comment 59 errata-xmlrpc 2010-09-02 13:20:22 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.4.Z - Server Only

Via RHSA-2010:0670 https://rhn.redhat.com/errata/RHSA-2010-0670.html
Comment 60 errata-xmlrpc 2010-09-07 09:57:17 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0676 https://rhn.redhat.com/errata/RHSA-2010-0676.html
Comment 61 errata-xmlrpc 2010-09-07 09:59:56 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4.7 Z Stream

Via RHSA-2010:0677 https://rhn.redhat.com/errata/RHSA-2010-0677.html
Comment 62 Matt Andrews 2010-09-16 15:08:18 EDT
kernel 2.6.18-194.11.3.el5 x86_64 described in RHSA-2010:0661 https://rhn.redhat.com/errata/RHSA-2010-0661.html appears to still be vulnerable.
Comment 63 Matt Andrews 2010-09-16 16:10:02 EDT
Sorry, looks like the issue I'm seeing is CVE-2010-3081 not CVE-2010-2240. please ignore my previous comment.
Comment 64 errata-xmlrpc 2010-11-12 04:37:00 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3 Extended Lifecycle Support

Via RHSA-2010:0882 https://rhn.redhat.com/errata/RHSA-2010-0882.html