Bug 111305 - Local exploit: Userland can access full kernel memory
Local exploit: Userland can access full kernel memory
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
All Linux
high Severity medium
: ---
: ---
Assigned To: Arjan van de Ven
Brian Brock
: Security
Depends On:
  Show dependency treegraph
Reported: 2003-12-01 16:32 EST by Robert Scheck
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-12-02 04:37:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Robert Scheck 2003-12-01 16:32:13 EST
Description of problem:
Vulnerability  : userland can access full kernel memory 
Problem type   : local
Debian-specific: no
CVE Id(s)      : CAN-2003-0961

Recently multiple servers of the Debian project were compromised 
using a
Debian developers account and an unknown root exploit. Forensics
revealed a burneye encrypted exploit. Robert van der Meulen managed 
decrypt the binary which revealed a kernel exploit. Study of the 
by the RedHat and SuSE kernel and security teams quickly revealed 
the exploit used an integer overflow in the brk system call. Using
this bug it is possible for a userland program to trick the kernel 
giving access to the full kernel address space. This problem was 
in September by Andrew Morton, but unfortunately that was too late 
the 2.4.22 kernel release.


Version-Release number of selected component (if applicable):

How reproducible:
Get the exploit or look at debian.org ;-)

Actual results:
Patched in 2.4.23 for the 2.4 tree.

Expected results:
Update to 2.4.23 or backport the patch. And don't forget the patches 
for the older Red Hat versions.

Additional info:
Someone might slap me if I'm wrong, but I can't find any backport in 
the actual Fedora Core 1 kernel...
Comment 1 Robert Scheck 2003-12-01 16:53:15 EST
--- linux-2.4.22/mm/mmap.c.orig 2003-12-01 22:45:21.000000000 +0100
+++ linux-2.4.22/mm/mmap.c      2003-12-01 22:47:23.000000000 +0100
@@ -1041,6 +1041,9 @@
        if (!len)
                return addr;

+       if ((addr + len) > TASK_SIZE || (addr + len) < addr)
+               return -EINVAL;
         * mlock MCL_FUTURE?
Comment 2 Mark J. Cox 2003-12-02 04:37:20 EST
not vulnerable - patch exists in linux-2.4.18-smallpatches.patch

Note You need to log in before you can comment on or make changes to this bug.