Bug 144530 - random poolsize sysctl handler integer overflow
random poolsize sysctl handler integer overflow
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel (Show other bugs)
3.0
All Linux
medium Severity low
: ---
: ---
Assigned To: Ernie Petrides
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-07 17:23 EST by Josh Bressers
Modified: 2007-11-30 17:07 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-22 16:17:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch for this issue. (828 bytes, patch)
2005-01-07 17:23 EST, Josh Bressers
no flags Details | Diff
Avoid interger overflow in poolsize_strategy() (428 bytes, patch)
2005-01-17 18:54 EST, Don Howard
no flags Details | Diff

  None (edit)
Description Josh Bressers 2005-01-07 17:23:53 EST
grsecurity announcement to full-disclosure
http://lists.netsys.com/pipermail/full-disclosure/2005-January/030660.html

This issue is low priority.  According to the advisory text "The poolsize bug
requires uid 0, but not anyroot capabilities."
Comment 1 Josh Bressers 2005-01-07 17:23:53 EST
Created attachment 109503 [details]
Proposed patch for this issue.
Comment 2 Ernie Petrides 2005-01-10 19:47:06 EST
Josh, uid 0 is the definition of "root capability" (at least outside
the context of SElinux).  So, the vulnerability reported at the link
provided in the initial bug comment reduces to "root can overwrite memory"
(which is possible using simpler means than the sysctl() interface).

I'm inclined to close this as WONTFIX, but I'll defer to you and Mark.
At the very least, I wouldn't consider this to be a candidate for a
security errata release.  Also, comment #1 contains an exploit, not
a patch.

Cheers.  -ernie
Comment 3 Josh Bressers 2005-01-10 22:00:40 EST
Ernie, I agree.  I filed this bug to have one of you kernel capable people to
verify that this is true.  We won't fix this if that's the case.
Comment 4 Don Howard 2005-01-17 18:50:34 EST
Why would we not fix this?

Comment 5 Don Howard 2005-01-17 18:54:14 EST
Created attachment 109900 [details]
Avoid interger overflow in poolsize_strategy()
Comment 6 Don Howard 2005-01-17 18:57:25 EST
The above patch corrects the system hang that can occur with the
exploit  from comment #1.
Comment 8 Ernie Petrides 2005-04-07 18:27:37 EDT
Revised patch posted for review on 7-Apr-2005.
Comment 9 Ernie Petrides 2005-04-13 20:24:41 EDT
A fix for this problem has just been committed to the RHEL3 E5
patch pool this evening (in kernel version 2.4.21-27.0.3.EL).
Comment 10 Ernie Petrides 2005-04-15 21:27:17 EDT
A fix for this problem has also been committed to the RHEL3 U5
patch pool this evening (in kernel version 2.4.21-32.EL).
Comment 11 Josh Bressers 2005-04-22 16:17:34 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-293.html
Comment 12 Tim Powers 2005-05-18 09:29:04 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-294.html

Note You need to log in before you can comment on or make changes to this bug.