Bug 144530 - random poolsize sysctl handler integer overflow
Summary: random poolsize sysctl handler integer overflow
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel
Version: 3.0
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
Assignee: Ernie Petrides
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-01-07 22:23 UTC by Josh Bressers
Modified: 2007-11-30 22:07 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-04-22 20:17:34 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Proposed patch for this issue. (828 bytes, patch)
2005-01-07 22:23 UTC, Josh Bressers
no flags Details | Diff
Avoid interger overflow in poolsize_strategy() (428 bytes, patch)
2005-01-17 23:54 UTC, Don Howard
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:293 0 high SHIPPED_LIVE Important: kernel security update 2005-04-22 04:00:00 UTC
Red Hat Product Errata RHSA-2005:294 0 normal SHIPPED_LIVE Moderate: Updated kernel packages available for Red Hat Enterprise Linux 3 Update 5 2005-05-18 04:00:00 UTC

Description Josh Bressers 2005-01-07 22:23:53 UTC
grsecurity announcement to full-disclosure
http://lists.netsys.com/pipermail/full-disclosure/2005-January/030660.html

This issue is low priority.  According to the advisory text "The poolsize bug
requires uid 0, but not anyroot capabilities."

Comment 1 Josh Bressers 2005-01-07 22:23:53 UTC
Created attachment 109503 [details]
Proposed patch for this issue.

Comment 2 Ernie Petrides 2005-01-11 00:47:06 UTC
Josh, uid 0 is the definition of "root capability" (at least outside
the context of SElinux).  So, the vulnerability reported at the link
provided in the initial bug comment reduces to "root can overwrite memory"
(which is possible using simpler means than the sysctl() interface).

I'm inclined to close this as WONTFIX, but I'll defer to you and Mark.
At the very least, I wouldn't consider this to be a candidate for a
security errata release.  Also, comment #1 contains an exploit, not
a patch.

Cheers.  -ernie

Comment 3 Josh Bressers 2005-01-11 03:00:40 UTC
Ernie, I agree.  I filed this bug to have one of you kernel capable people to
verify that this is true.  We won't fix this if that's the case.

Comment 4 Don Howard 2005-01-17 23:50:34 UTC
Why would we not fix this?



Comment 5 Don Howard 2005-01-17 23:54:14 UTC
Created attachment 109900 [details]
Avoid interger overflow in poolsize_strategy()

Comment 6 Don Howard 2005-01-17 23:57:25 UTC
The above patch corrects the system hang that can occur with the
exploit  from comment #1.

Comment 8 Ernie Petrides 2005-04-07 22:27:37 UTC
Revised patch posted for review on 7-Apr-2005.

Comment 9 Ernie Petrides 2005-04-14 00:24:41 UTC
A fix for this problem has just been committed to the RHEL3 E5
patch pool this evening (in kernel version 2.4.21-27.0.3.EL).


Comment 10 Ernie Petrides 2005-04-16 01:27:17 UTC
A fix for this problem has also been committed to the RHEL3 U5
patch pool this evening (in kernel version 2.4.21-32.EL).


Comment 11 Josh Bressers 2005-04-22 20:17:34 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-293.html


Comment 12 Tim Powers 2005-05-18 13:29:04 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-294.html



Note You need to log in before you can comment on or make changes to this bug.