Bug 631623 (CVE-2010-3079)

Summary: CVE-2010-3079 kernel: ftrace NULL ptr deref
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: arozansk, bhu, casmls, fhrbata, jkacur, lgoncalv, peterm, security-response-team, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 09:13:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 631624, 631625, 631626    
Bug Blocks:    

Description Eugene Teo (Security Response) 2010-09-08 02:23:44 UTC
Description of problem:
It requires debugfs to be mounted on a local system

$ mount | grep debugfs
none on /sys/kernel/debug type debugfs (rw)
none on /var/lib/ureadahead/debugfs type debugfs (rw,relatime)

Tested with Ubuntu Maverick 10.04.1 with kernel 2.6.32-24-generic-pae. It's probably not exploitable in any meaningful way, although it produces page fault in kernel mode, and makes subsequent processes opening /sys/kernel/debug/tracing/set_ftrace_filter (or set_ftrace_notrace) unkillable, so it's a little bit of a DoS (or at least, annoyance).

Found via one of Tavis Ormandy's tools, I just quickly analyzed it and provided a testcase.

Acknowledgements:

Red Hat would like to thank Robert Swiecki of Google Security Team for reporting this issue.

Comment 3 Eugene Teo (Security Response) 2010-09-08 02:38:45 UTC
Statement:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and 5, as they do not include support for Ftrace. It did not affect Red Hat Enterprise MRG as it did not contain the upstream commit 8fc0c701 that introduced this flaw.

Comment 4 Eugene Teo (Security Response) 2010-09-08 02:42:20 UTC
Debugfs is not mounted by default. You need to run "mount -t debugfs nodev /sys/kernel/debug" as root first.

Comment 5 Eugene Teo (Security Response) 2010-09-09 02:45:35 UTC
Patch:
http://git.kernel.org/tip/9c55cb12c1c172e2d51e85fbb5a4796ca86b77e7

Comment 7 Chuck Ebbert 2010-09-21 03:32:02 UTC
Fixed in 2.6.27.54, 2.6.32.22 and 2.6.35.5

Comment 8 errata-xmlrpc 2010-11-10 19:09:41 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html

Comment 9 errata-xmlrpc 2010-11-22 19:35:31 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html