Bug 144134 - (IT_62049) CAN-2004-1235 isec.pl uselib() privilege escalation
CAN-2004-1235 isec.pl uselib() privilege escalation
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel (Show other bugs)
3.0
All Linux
medium Severity high
: ---
: ---
Assigned To: Dave Anderson
reported=20041222,public=20050106,imp...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-04 14:36 EST by Josh Bressers
Modified: 2007-11-30 17:07 EST (History)
17 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-01-18 18:52:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2005-01-04 14:36:00 EST
isec.pl reported a missing down() on mmap_sem semaphore whilst calling do_brk;
so if do_brk() sleeps on a kmalloc it may get into a VMA list race - leading to
results similar to the do_brk exploit.
Comment 2 Josh Bressers 2005-01-04 14:49:22 EST
Attachment 109343 [details]
Contains the patch for this issue.
Comment 5 Dave Anderson 2005-01-04 17:18:13 EST
I've built a static version the program using gcc 2.2.5 (which doesn't
require the old_esp removal), and when run on a RHEL3 kernel, it just
causes a segmentation violation.

I've run Mark's version as well, and it also only causes a segmentation
violation.

Comment 10 Petter Reinholdtsen 2005-01-11 10:02:11 EST
When can we expect an official kernel from RedHat fixing this issue?
Comment 13 Milan Kerslager 2005-01-11 12:13:54 EST
To make it easy when using search through Bugzilla, we should note,
that this is a uselib() privilege escalation problem (comment #1 has a
typo) or sys_uselib() if you want. See:

http://isec.pl/vulnerabilities/isec-0021-uselib.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1235
http://lwn.net/Articles/118223/

Looking forward for RHSA...
Comment 14 Milan Kerslager 2005-01-12 15:20:23 EST
According to Andrew Morton this seems to be less risky than we thought:
http://marc.theaimsgroup.com/?l=linux-kernel&m=110513618706433&w=2
See the the previous and the next from Alan from this thread too.
Maybe this is the reason why there is no RHSA yet?
Comment 16 Ernie Petrides 2005-01-12 22:56:45 EST
A fix for this problem has just been committed to the RHEL3 E5
patch pool this evening (in kernel version 2.4.21-27.0.2.EL).
Comment 17 Christopher McCrory 2005-01-13 12:27:23 EST
>> According to Andrew Morton this seems to be less risky than we thought

If I read that correctly, the lkml post is NOT about the uselib issue
(what this bug is about), but references other issues that came up at
the same time (same day?)



Comment 19 Ernie Petrides 2005-01-14 19:29:12 EST
The fix for this problem has also been committed to the RHEL3 U5
patch pool this evening (in kernel version 2.4.21-27.8.EL).
Comment 20 Christopher McCrory 2005-01-18 14:53:26 EST
any word on when the 2.4.21-27.0.2.EL Errata will be released?
or a RH/people pre release link
Comment 21 Ernie Petrides 2005-01-18 15:57:30 EST
Probably later tonight.  Sorry for the delay.
Comment 22 David Lawrence 2005-01-18 18:52:47 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-043.html

Note You need to log in before you can comment on or make changes to this bug.