Bug 152668 - KERNEL: r128 dri AND do_mremap VMA limit local privilege escalation vulnerability
KERNEL: r128 dri AND do_mremap VMA limit local privilege escalation vulnerabi...
Status: CLOSED CURRENTRELEASE
Product: Fedora Legacy
Classification: Retired
Component: General (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://cve.mitre.org/cgi-bin/cvename....
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-02-11 04:26 EST by Seth Vidal
Modified: 2007-04-18 13:22 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-05 18:50:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:23:21 EST
Alan Cox found issues in the R128 Direct Render Infrastructure that
could allow local privilege escalation. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0003 to
this issue.

This was noted in an fedora core errata.
I've been told there is an rhl9 errata due out for it soonish. And that the
patches there should work for 7.x, 8.0.



------- Additional Comments From warren@togami.com 2004-02-11 05:51:17 ----

I have confirmation that the r128 local hole is only exploitable if you load
that module, so this is easy to avoid for most server admins.



------- Additional Comments From skvidal@phy.duke.edu 2004-02-11 07:44:21 ----

which doesn't negate the need to patch it.




------- Additional Comments From bugs.michael@gmx.net 2004-02-18 04:49:44 ----

Created an attachment (id=552)
patch against rh9 erratum kernel

Attached patch turns the rh9 erratum kernel 2.4.20-30.9 src.rpm into a rh73
kernel 2.4.20-30.7.




------- Additional Comments From jkeating@j2solutions.net 2004-02-18 14:07:22 ----

*** Bug 1302 has been marked as a duplicate of this bug. ***



------- Additional Comments From jkeating@j2solutions.net 2004-02-18 14:08:14 ----

Please see comments in bug 1302 and keep adding to this bug.



------- Additional Comments From cra@wpi.edu 2004-02-18 15:27:03 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www-astro.physics.ox.ac.uk/~dom/legacy/kernel-2.4.20-31.7.legacy.src.rpm

md5sum:

3c351d63129bf0d1b7e82e6e006d38d6  kernel-2.4.20-31.7.legacy.src.rpm

sha1sum:

86281a6578aff0e0dbd2a2fad6b11c4ab7c6561a  kernel-2.4.20-31.7.legacy.src.rpm

Verified that the only changes from kernel-2.4.20-30.9.src.rpm are:

- -%define release 30.9
+%define release 31.7.legacy

- -%define nptlarchs %{all_x86}
- -#define nptlarchs noarch
+#define nptlarchs %{all_x86}
+%define nptlarchs noarch

+* Wed Feb 18 2004 Dominic Hargreaves <dom@earth.li>
+- Backport fixes for redhat 7.2 and 7.3

Builds cleanly for Red Hat 7.3.  Tested i586 kernel on AMD K6-2 450.  Boots
and running fine.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFANBCtw2eg+Um7WIYRAg9/AKCacHWp/SPMN47JaKCXfVOENztrPQCeOr1W
Ez2lw3ZLHUvhjHKAXEA2kq8=
=0fpN
-----END PGP SIGNATURE-----




------- Additional Comments From bugs.michael@gmx.net 2004-02-18 21:51:33 ----

<sigh>

* It should become 30.7 not 31.7, as pointed out in bug 1302.

* No backporting has been done. It's simply just the rh9 erratum built for rh7
(disabling NPTL).

* I find it sort of ridiculous to move around 33 MiB huge src.rpms for a patch
that is less than 1 KiB in size, if Jesse needed to build official packages for
updates-testing anyway. Kinda inefficient. So, the only thing that's missing
here are not src.rpms, but binary kernel packages for updates-testing.

* Btw, 30.7 runs fine here on i586.



------- Additional Comments From jkeating@j2solutions.net 2004-02-19 05:42:11 ----

I'll be building binaries for updates-testing today or tomorrow.  (I'll try to
squeeze it into my work day, but I have an event to go to on Thursay nights so I
won't be able to do it after work.)



------- Additional Comments From dawson@fnal.gov 2004-02-20 09:24:55 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have downloaded RedHat's erratum kernel 2.4.20-30.9 src rpm directly from
redhat, and checked the md5sum.
I then applied the patch from comment three, by hand.
I then rebuilt the binaries on a 7.3 machine.
The binaries built without any problems that were apparent.
The resulting binaries have been tested thus far for uniprocessor and smp for th
e i686 platform.  Further testing is forthcomming, but we do not anticipate any
problems.
If needed, the src.rpm and resulting binaries have been signed and are at

ftp://linux21.fnal.gov/linux/contrib/kernel/73x/2.4.30-30

I give it a thumbs up.
Troy Dawson

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFANl532mrQCIL9F7IRAmXOAJ9gwH8ez/AeF0sPvR3cqbBxxDwXxQCfeeQN
4gLe/1UdeLhic6eXjXkINw8=
=OofO
-----END PGP SIGNATURE-----




------- Additional Comments From jkeating@j2solutions.net 2004-02-21 07:37:09 ----

Pushed to updates-testing.



------- Additional Comments From arvand@sabetian.net 2004-02-21 09:54:47 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

1057f39934c0df75852fabffb43d1e09  kernel-2.4.20-30.7.legacy.i686.rpm

RedHat 7.3

Kernel installed successfully. Reboot was without problems. Server has been runn
ing for over an hour without problems.

vote PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAN7cd/JcqR38YQ08RAvaEAKCJiz3ODrCRgRgQjEE+iGOdRQrpMgCfXQ5Y
tsCXJl26sG7Q6S657P3BtDY=
=8Jc4
-----END PGP SIGNATURE-----



------- Additional Comments From michal@harddata.com 2004-02-21 13:57:10 ----

kernel-2.4.20-30.7.legacy.athlon.rpm - runs without problems, as expected,
on two different Athlon machines.



------- Additional Comments From bugs.michael@gmx.net 2004-02-22 02:46:47 ----

Built by "legacy@yoda.loki.me", what host/build-system is this?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SHA1:
f97d96d3238aa1bb314896699e280a31ed85529d  kernel-2.4.20-30.7.legacy.athlon.rpm
d3e0a7b68e06af4045cd4f66d0a5864920dbd5b5  kernel-2.4.20-30.7.legacy.i586.rpm

* match my own builds very closely
* both install and boot fine
* i586 version runs for a few hours

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAOKSr0iMVcrivHFQRAvAjAJ47lSlM5b2zjK6aszQ1ox+HWSGYKwCeIomf
+O2jfUfdJIrGghKYtGF7J9w=
=Aijq
-----END PGP SIGNATURE-----




------- Additional Comments From jkeating@j2solutions.net 2004-02-23 19:22:57 ----

Comment #13

"legacy@yoda.loki.me" is a local machine on my personal network.  We have yet to
get the real buildsystem up and running, some issues w/ vserver and amd64
kernels.  Hopefully we'll have it soon, and the build system will be
"legacy@pogo.fedoralegacy.org"



------- Additional Comments From jkeating@j2solutions.net 2004-02-25 05:27:40 ----

*** Bug 1323 has been marked as a duplicate of this bug. ***



------- Additional Comments From tru@pasteur.fr 2004-02-25 07:27:45 ----

It works for me with kernel-BOOT (kickstart on rebuild bootnet.img) and kernel
for athlon (UP). I don't have any other machines to test on.

Tru



------- Additional Comments From rostetter@mail.utexas.edu 2004-02-26 06:42:28 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
* Downloaded kernel-2.4.20-30.7.legacy.i686.rpm from
http://download.fedoralegacy.org/redhat/7.2/updates-testing/i386/
* RPM says gpg key and md5 check out.  Validated the signature fingerprint.
* Installed fine on 3 RH 7.2 i686 (PIII) machines.
* Manually updated lilo for new kernel.
* All rebooted fine, running fine.
 
* Downloaded kernel-smp-2.4.20-30.7.legacy.i686.rpm
http://download.fedoralegacy.org/redhat/7.2/updates-testing/i386/
* RPM says gpg key and md5 check out.  Validated the signature fingerprint.
* Installed fine on 1 RH 7.2 i686 SMP (PII) machine.
* Manually updated lilo for new kernel.
* Rebooted fine, running fine.
 
* Vote for publish...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFAPiGo4jZRbknHoPIRAmpvAJ4jgHO+3Y2uaCvFPMbSkyBOhVY6zACgiR1J
waFlwtSHJVoMv0ky6sHwkFk=
=ER+p
-----END PGP SIGNATURE-----



------- Additional Comments From rostetter@mail.utexas.edu 2004-02-28 08:31:56 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
* Downloaded kernel-smp-2.4.20-30.8.legacy.i686.rpm and
  kernel-source-2.4.20-30.8.legacy.i386.rpm from
  http://download.fedoralegacy.org/redhat/8.0/updates-testing/i386/
* RPM says keys and md5 hashes check out, validated the signature fingerprints.
* Installed fine on a RH 8.0 P4 Xeon SMP machine, except...
* Updates lilo with a label of "2.4.20-30.8.legacysmp" which is too long
  for lilo, so you can't run /sbin/lilo on it until you change the label.
* Updated /etc/lilo.conf for shorter label and ran lilo to install it.
* All rebooted fine, running fine.
 
* Guess it is okay to publish even with the lilo issue; not sure if/how
  to fix the lilo issue...  Could be an issue for newbies...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFAQN3u4jZRbknHoPIRAmS5AJ9hPTdE9fWgSGoQtAdgDdiA4g2iQwCfWNAL
z54NybJW3qOFnCJL+h6RtUY=
=rKUb
-----END PGP SIGNATURE-----



------- Additional Comments From warren@togami.com 2004-02-28 11:41:23 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
kernel-2.4.20-30.8.legacy
 
Tested this within VMWare 4.0.5 with some stress testing.
Seems OK for me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFAQQria93+jlSirPERApZfAKCOaegzSPl1kxImnCG+aRH09k3WeQCfcLNi
mkDbTmyIlvsTZTtuDxJHdeM=
=LAn8
-----END PGP SIGNATURE-----

(athlon only tested)



------- Additional Comments From troels@arvin.dk 2004-02-29 22:20:04 ----

As Eric, I ran into the lilo problem: I used yum to install the kernel on two
different servers, both using lilo as the boot-loader (because they boot form a
software raid - grub doesn't handle that situation well). After the kernel had
been installed, lilo couln't be run because the boot label of the newly
installed kernel was too long:

On a SMP server:
Fatal: Label "2.4.20-30.8.legacysmp" is too long

and on the single-CPU server:
Fatal: Label "2.4.20-30.8.legacy" is too long

Apart from this: No problems found.




------- Additional Comments From skvidal@phy.duke.edu 2004-03-01 13:18:18 ----

Set this one to publish - been running it on production boxes all over duke for
a number of days now. Looking good.
PUBLISH



------- Additional Comments From troels@arvin.dk 2004-03-01 13:36:15 ----

I'm not sure which utility actually adjusts lilo. Does anyone know? Can that
utility be told not to add ".legacy" in the kernel image name?



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:23 -------

This bug previously known as bug 1284 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1284
Originally filed under the Fedora Legacy product and General component.

Attachments:
patch against rh9 erratum kernel
https://bugzilla.fedora.us/attachment.cgi?action=view&id=552

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown severity major. Setting to default severity "normal".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.