Bug 426365 - (CVE-2007-6434) CVE-2007-6434 VM/Security: add security hook to do_brk
CVE-2007-6434 VM/Security: add security hook to do_brk
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
  Show dependency treegraph
Reported: 2007-12-20 09:58 EST by Jan Lieskovsky
Modified: 2010-04-08 17:36 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-04-08 17:36:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2007-12-20 09:58:57 EST
Description of problem:

Eric Paris has commited upstream the following check:

Given a specifically crafted binary do_brk() can be used to get low pages
available in userspace virtual memory and can thus be used to circumvent
the mmap_min_addr low memory protection.  Add security checks in do_brk().

<cite from CVE description>

Linux kernel 2.6.23 allows local users to create low pages in virtual userspace
memory and bypass mmap_min_addr protection via a crafted executable file that
calls the do_brk function.


The patch provided in the upstream commit above (See URL).
Comment 5 Jan Lieskovsky 2007-12-20 10:11:21 EST
This bug is filled against the FC8 kernel ( and later).
This bug (CVE-2007-6434) doesn't affect RHEL kernels from 2.1 up to 5.2.
The affected feature was introduced in the upstream kernel starting from
version 2.6.23. 

Eric Paris about this topic:

CVE-2007-6434 does not apply to RHEL.  It talks about a flaw in my original
implementation of mmap_min_addr upstream.  Since RHEL never implemented this at
all there is no flaw in the original implementation. (mind you we have no
protection, but at least from what I can read about this CVE it isn't applicable
to us at all)

This CVE would apply to fedora which shipped a 2.6.24 kernel.
Comment 6 Chuck Ebbert 2007-12-21 15:41:20 EST
To make the mmap protection work right in 2.6.23, commit
7cd94146cd504016315608e297219f9fb7b1413b is needed too. Otherwise programs using
mmap address hints may fail mysteriously if the hint address is below the minimum.
Comment 7 Eugene Teo (Security Response) 2008-07-24 02:38:23 EDT
Reference: http://lkml.org/lkml/2007/12/4/182
Comment 8 Eric Paris 2009-08-12 10:03:33 EDT
Can we close this bug, it's been long fixed in fedora....

Note You need to log in before you can comment on or make changes to this bug.