Bug 645252

Summary: CVE-2010-3904 kernel: Linux RDS Protocol Local Privilege Escalation
Product: [Fedora] Fedora Reporter: Jan ONDREJ <ondrejj>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 13CC: collura, dougsland, edoutreleau, gansalmon, itamar, jonathan, kernel-maint, kmcmartin, madhu.chinakonda, ngaywood, nphilipp, rwahl, sandro
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 645305 (view as bug list) Environment:
Last Closed: 2010-12-02 01:44:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 642896, 645305    

Description Jan ONDREJ 2010-10-21 06:29:56 UTC 
Description of problem:
Vulnerability Details                                                         
- ---------------------                                                       
On Linux, recvmsg() style socket calls are performed using iovec structs,
which
allow a user to specify a base address and size for a buffer used to receive
socket data.  Each packet family is responsible for defining functions that
copy socket data, which is received by the kernel, back to user space to allow
user programs to process and handle received network data.

When performing this copying of data to user space, the RDS protocol failed to
verify that the base address of a user-provided iovec struct pointed to a
valid
userspace address before using the __copy_to_user_inatomic() function to copy
the data.  As a result, by providing a kernel address as an iovec base and
issuing a recvmsg() style socket call, a local user could write arbitrary data
into kernel memory.  This can be leveraged to escalate privileges to root.

Please make updates for all currently stable releases, F12 and F13. Thank you.

Version-Release number of selected component (if applicable):
2.6.34.7-56.fc13.i686.PAE
2.6.32.21-168.fc12.i686.PAE

How reproducible:
Always exploitable

Steps to Reproduce:
And the updated exploit is available at:
http://www.vsecurity.com/download/tools/linux-rds-exploit.c
  
Actual results:
got root access

Additional info:
http://www.vsecurity.com/resources/advisory/20101019-1/
Comment 1 Nils Philippsen 2010-10-21 10:40:13 UTC 
This upstream commit is supposed to fix the bug:

commit 799c10559d60f159ab2232203f222f18fa3c4a5f
Author: Linus Torvalds <torvalds>
Date:   Fri Oct 15 11:09:28 2010 -0700

    De-pessimize rds_page_copy_user
Comment 2 Norman Gaywood 2010-10-22 03:14:57 UTC 
Fedora 12 kernel-2.6.32.23-170.fc12.x86_64 also has this problem
Comment 3 Norman Gaywood 2010-10-24 05:47:01 UTC 
Still no sign of an updated kernel for F12 in koji. F13 and F14 seem to have a kernel built for them although I don't think they have been pushed to testing yet,

I've implemented the work-around, mentioned in the link above:

echo "alias net-pf-21 off" > /etc/modprobe.d/disable-rds

which stops the exploit.
Comment 4 Kyle McMartin 2010-12-02 01:44:24 UTC 
Sorry, somehow the last round of stable updates went missing due to a failed build. Fixed.