Red Hat Bugzilla – Bug 144134
CAN-2004-1235 isec.pl uselib() privilege escalation
Last modified: 2007-11-30 17:07:05 EST
isec.pl reported a missing down() on mmap_sem semaphore whilst calling do_brk;
so if do_brk() sleeps on a kmalloc it may get into a VMA list race - leading to
results similar to the do_brk exploit.
Attachment 109343 [details]
Contains the patch for this issue.
I've built a static version the program using gcc 2.2.5 (which doesn't
require the old_esp removal), and when run on a RHEL3 kernel, it just
causes a segmentation violation.
I've run Mark's version as well, and it also only causes a segmentation
When can we expect an official kernel from RedHat fixing this issue?
To make it easy when using search through Bugzilla, we should note,
that this is a uselib() privilege escalation problem (comment #1 has a
typo) or sys_uselib() if you want. See:
Looking forward for RHSA...
According to Andrew Morton this seems to be less risky than we thought:
See the the previous and the next from Alan from this thread too.
Maybe this is the reason why there is no RHSA yet?
A fix for this problem has just been committed to the RHEL3 E5
patch pool this evening (in kernel version 2.4.21-27.0.2.EL).
>> According to Andrew Morton this seems to be less risky than we thought
If I read that correctly, the lkml post is NOT about the uselib issue
(what this bug is about), but references other issues that came up at
the same time (same day?)
The fix for this problem has also been committed to the RHEL3 U5
patch pool this evening (in kernel version 2.4.21-27.8.EL).
any word on when the 2.4.21-27.0.2.EL Errata will be released?
or a RH/people pre release link
Probably later tonight. Sorry for the delay.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.