grsecurity announcement to full-disclosure http://lists.netsys.com/pipermail/full-disclosure/2005-January/030660.html This issue is low priority. According to the advisory text "The poolsize bug requires uid 0, but not anyroot capabilities."
Created attachment 109503 [details] Proposed patch for this issue.
Josh, uid 0 is the definition of "root capability" (at least outside the context of SElinux). So, the vulnerability reported at the link provided in the initial bug comment reduces to "root can overwrite memory" (which is possible using simpler means than the sysctl() interface). I'm inclined to close this as WONTFIX, but I'll defer to you and Mark. At the very least, I wouldn't consider this to be a candidate for a security errata release. Also, comment #1 contains an exploit, not a patch. Cheers. -ernie
Ernie, I agree. I filed this bug to have one of you kernel capable people to verify that this is true. We won't fix this if that's the case.
Why would we not fix this?
Created attachment 109900 [details] Avoid interger overflow in poolsize_strategy()
The above patch corrects the system hang that can occur with the exploit from comment #1.
Revised patch posted for review on 7-Apr-2005.
A fix for this problem has just been committed to the RHEL3 E5 patch pool this evening (in kernel version 2.4.21-27.0.3.EL).
A fix for this problem has also been committed to the RHEL3 U5 patch pool this evening (in kernel version 2.4.21-32.EL).
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-293.html
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-294.html