Bug 111305 - Local exploit: Userland can access full kernel memory
Local exploit: Userland can access full kernel memory
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
1
All Linux
high Severity medium
: ---
: ---
Assigned To: Arjan van de Ven
Brian Brock
http://www.securityfocus.com/archive/...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-12-01 16:32 EST by Robert Scheck
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-12-02 04:37:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Scheck 2003-12-01 16:32:13 EST
Description of problem:
Vulnerability  : userland can access full kernel memory 
Problem type   : local
Debian-specific: no
CVE Id(s)      : CAN-2003-0961

Recently multiple servers of the Debian project were compromised 
using a
Debian developers account and an unknown root exploit. Forensics
revealed a burneye encrypted exploit. Robert van der Meulen managed 
to
decrypt the binary which revealed a kernel exploit. Study of the 
exploit
by the RedHat and SuSE kernel and security teams quickly revealed 
that
the exploit used an integer overflow in the brk system call. Using
this bug it is possible for a userland program to trick the kernel 
into
giving access to the full kernel address space. This problem was 
found
in September by Andrew Morton, but unfortunately that was too late 
for
the 2.4.22 kernel release.

http://lists.debian.
org/debian-security-announce/debian-security-announce-2003/msg00212.
html

Version-Release number of selected component (if applicable):
kernel-2.4.22-1.2115.nptl

How reproducible:
Get the exploit or look at debian.org ;-)

Actual results:
Patched in 2.4.23 for the 2.4 tree.

Expected results:
Update to 2.4.23 or backport the patch. And don't forget the patches 
for the older Red Hat versions.

Additional info:
Someone might slap me if I'm wrong, but I can't find any backport in 
the actual Fedora Core 1 kernel...
Comment 1 Robert Scheck 2003-12-01 16:53:15 EST
--- linux-2.4.22/mm/mmap.c.orig 2003-12-01 22:45:21.000000000 +0100
+++ linux-2.4.22/mm/mmap.c      2003-12-01 22:47:23.000000000 +0100
@@ -1041,6 +1041,9 @@
        if (!len)
                return addr;

+       if ((addr + len) > TASK_SIZE || (addr + len) < addr)
+               return -EINVAL;
+
        /*
         * mlock MCL_FUTURE?
         */
Comment 2 Mark J. Cox (Product Security) 2003-12-02 04:37:20 EST
not vulnerable - patch exists in linux-2.4.18-smallpatches.patch
(2.4.22-1.2115.nptl)

Note You need to log in before you can comment on or make changes to this bug.