Bug 680841 (CVE-2011-1021)

Summary: CVE-2011-1021 kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: ASSIGNED --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bhu, jkacur, lgoncalv, ovasik, rt-maint, williams
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-01 14:46:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 680844    
Bug Blocks: 717862    

Description Eugene Teo (Security Response) 2011-02-28 06:26:29 UTC 
Since /sys/kernel/debug/acpi/custom_method can be used to write arbitrary kernel memory (http://jon.oberheide.org/files/american-sign-language.c), it should be able to be left out of the kernel for system owners that want to be as defensive as possible to potential attacks, even from the root user. See as examples: CONFIG_DEVKMEM, CONFIG_STRICT_DEVMEM, and /proc/sys/kernel/modules_disabled.

https://lkml.org/lkml/2011/2/22/369
Comment 5 John Kacur 2011-04-18 22:02:35 UTC 
I believe this is the upstream solution
ed3aada1bf34c5a9e98af167f125f8a740fc726a
Comment 9 Eugene Teo (Security Response) 2011-06-06 02:58:48 UTC 
Statement:

The version of Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, and 6 as they did not include upstream commit a1a541d8 and a25ee920 that introduced the problem. This has been addressed in Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-1253.html.

Notes:

This requires debugfs to be mounted on a local system in order to have access
to the custom_method file. Debugfs is not mounted by default. You need to run
"mount -t debugfs nodev /sys/kernel/debug" as root first.
Comment 10 Eugene Teo (Security Response) 2011-06-08 02:43:20 UTC 
(In reply to comment #5)
> I believe this is the upstream solution
> ed3aada1bf34c5a9e98af167f125f8a740fc726a

No this is not the upstream solution. This patch is for CVE-2010-4347. For CVE-2011-1021, please refer to https://lkml.org/lkml/2011/2/22/369.
Comment 11 errata-xmlrpc 2011-09-12 19:46:21 UTC 
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2011:1253 https://rhn.redhat.com/errata/RHSA-2011-1253.html