Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2010-2240 kernel: mm: keep a guard page below a grow-down stack segment|
|Product:||[Other] Security Response||Reporter:||Eugene Teo (Security Response) <eteo>|
|Component:||vulnerability||Assignee:||Andrea Arcangeli <aarcange>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||aarcange, amyagi, arozansk, bhu, botsch, bressers, bugreports2005, davej, davids, degts, dfeng, dhoward, gerrit.slomma, jcm, jkacur, jlieskov, jolsa, jpirko, jweiner, kem, kmcmartin, leo.jaaskelainen, lgoncalv, liko, lwang, lwoodman, matt, mjc, mmcgrath, ned, peter.hutterer, plyons, pmatouse, rcvalle, riel, security-response-team, stephenf, tbaumann, tburke, tcallawa, t.h.amundsen, vgoyal, williams|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2012-03-28 04:03:04 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||607853, 607854, 607855, 607856, 607857, 607858, 607859, 625364, 625634, 625635, 625636|
Description Eugene Teo (Security Response) 2010-06-22 00:27:23 EDT
Description of problem: When an application has a stack overflow, the stack could silently overwrite other memory mapped area instead of causing a segmentation fault. Acknowledgements: Red Hat would like to thank the X.Org security team for reporting this issue. Upstream acknowledges Rafal Wojtczuk as the original reporter.
Comment 24 Eugene Teo (Security Response) 2010-08-12 21:44:06 EDT
Linus has committed a fix for this issue: http://git.kernel.org/linus/320b2b8de12698082609ebbc1a17165727f4c893
Comment 30 Chuck Ebbert 2010-08-15 18:07:13 EDT
Fixed in 220.127.116.11, 18.104.22.168 and 22.214.171.124. Fixes are in the review stage for 126.96.36.199
Comment 31 Eugene Teo (Security Response) 2010-08-15 20:04:07 EDT
(In reply to comment #24) > Linus has committed a fix for this issue: > http://git.kernel.org/linus/320b2b8de12698082609ebbc1a17165727f4c893 We also need: http://git.kernel.org/linus/5528f9132cf65d4d892bcbc5684c61e7822b21e9 http://git.kernel.org/linus/96054569190bdec375fe824e48ca1f4e3b53dd36 http://git.kernel.org/linus/11ac552477e32835cb6970bf0a70c210807f5673 http://git.kernel.org/linus/d7824370e26325c881b665350ce64fb0a4fde24a http://git.kernel.org/linus/05fa199d45c54a9bda7aa3ae6537253d6f097aa9 (in rhel6)
Comment 36 errata-xmlrpc 2010-08-17 11:52:31 EDT
This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2010:0631 https://rhn.redhat.com/errata/RHSA-2010-0631.html
Comment 37 Eugene Teo (Security Response) 2010-08-17 23:17:17 EDT
From the reporter, Blog: http://theinvisiblethings.blogspot.com/2010/08/skeletons-hidden-in-linux-closet.html Paper: http://www.invisiblethingslab.com/resources/misc-2010/xorg-large-memory-attacks.pdf It was reported that this can be exploited with an X server. It is possible to mitigate this by disabling MIT-SHM extension as indicated in section 3.2 of the provided paper. However, this workaround is only applied to this specific scenario.
Comment 41 Chuck Ebbert 2010-08-19 06:57:53 EDT
All the fixes are queued as of 188.8.131.52-rc3, 184.108.40.206-rc1, 220.127.116.11-rc1 and 18.104.22.168-rc1. They're also in the latest F12, 13 and 14 updates submitted for testing.
Comment 43 Chuck Ebbert 2010-08-22 10:16:23 EDT
Three more patches related to the stack guard page have been added: http://git.kernel.org/linus/297c5eee372478fc32fec5fe8eed711eedb13f3d http://git.kernel.org/linus/7798330ac8114c731cfab83e634c6ecedaa233d7 http://git.kernel.org/linus/0e8e50e20c837eeec8323bba7dcd25fe5479194c
Comment 47 bugreports2005 2010-08-23 03:47:10 EDT
Is this resolved in the current RHEL5 kernel?
Comment 49 Dave Botsch 2010-08-23 14:06:31 EDT
Comment 51 Eugene Teo (Security Response) 2010-08-23 20:47:56 EDT
(In reply to comment #47) > Is this resolved in the current RHEL5 kernel? (In reply to comment #49) > RHEL4? Not yet to both. We are working on updates to address this issue. As you can see in comment #43, there are additional fixes available two days ago, that we will also need to backport for issues found in the official fixes. Thanks.
Comment 54 bugreports2005 2010-08-27 02:23:19 EDT
Is there an ETA on a fix? We are getting quite nervous.
Comment 55 errata-xmlrpc 2010-08-30 09:11:11 EDT
This issue has been addressed in following products: Red Hat Enterprise Linux 5.3.Z - Server Only Via RHSA-2010:0660 https://rhn.redhat.com/errata/RHSA-2010-0660.html
Comment 56 errata-xmlrpc 2010-08-30 09:43:31 EDT
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0661 https://rhn.redhat.com/errata/RHSA-2010-0661.html
Comment 57 advax 2010-08-30 18:07:30 EDT
Reading the original paper http://cansecwest.com/core05/memory_vulns_delalleau.pdf, it seems that guard pages may be inadequate, especially if programs are compiled without gcc -fstack-check, as applications can control their own stack pointer. Linus' commit 320b2b8de12698082609ebbc1a17165727f4c893 says it's a minimal patch to add a guard page below a grow-down stack segment. Am I missing something ? Should X be recompiled with -fstack-check ?
Comment 58 Eugene Teo (Security Response) 2010-08-30 21:38:59 EDT
(In reply to comment #57) > Reading the original paper > http://cansecwest.com/core05/memory_vulns_delalleau.pdf, it seems that guard > pages may be inadequate, especially if programs are compiled without gcc > -fstack-check, as applications can control their own stack pointer. > > Linus' commit 320b2b8de12698082609ebbc1a17165727f4c893 > says it's a minimal patch to add a guard page below a grow-down stack segment. > > Am I missing something ? Should X be recompiled with -fstack-check ? For the userspace, please follow-up in bug 615330. Thanks.
Comment 59 errata-xmlrpc 2010-09-02 13:20:22 EDT
This issue has been addressed in following products: Red Hat Enterprise Linux 5.4.Z - Server Only Via RHSA-2010:0670 https://rhn.redhat.com/errata/RHSA-2010-0670.html
Comment 60 errata-xmlrpc 2010-09-07 09:57:17 EDT
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:0676 https://rhn.redhat.com/errata/RHSA-2010-0676.html
Comment 61 errata-xmlrpc 2010-09-07 09:59:56 EDT
This issue has been addressed in following products: Red Hat Enterprise Linux 4.7 Z Stream Via RHSA-2010:0677 https://rhn.redhat.com/errata/RHSA-2010-0677.html
Comment 62 Matt Andrews 2010-09-16 15:08:18 EDT
kernel 2.6.18-194.11.3.el5 x86_64 described in RHSA-2010:0661 https://rhn.redhat.com/errata/RHSA-2010-0661.html appears to still be vulnerable.
Comment 63 Matt Andrews 2010-09-16 16:10:02 EDT
Sorry, looks like the issue I'm seeing is CVE-2010-3081 not CVE-2010-2240. please ignore my previous comment.