Red Hat Bugzilla – Bug 426365
CVE-2007-6434 VM/Security: add security hook to do_brk
Last modified: 2010-04-08 17:36:00 EDT
Description of problem:
Eric Paris has commited upstream the following check:
Given a specifically crafted binary do_brk() can be used to get low pages
available in userspace virtual memory and can thus be used to circumvent
the mmap_min_addr low memory protection. Add security checks in do_brk().
<cite from CVE description>
Linux kernel 2.6.23 allows local users to create low pages in virtual userspace
memory and bypass mmap_min_addr protection via a crafted executable file that
calls the do_brk function.
The patch provided in the upstream commit above (See URL).
This bug is filled against the FC8 kernel (220.127.116.11-42.fc8 and later).
This bug (CVE-2007-6434) doesn't affect RHEL kernels from 2.1 up to 5.2.
The affected feature was introduced in the upstream kernel starting from
Eric Paris about this topic:
CVE-2007-6434 does not apply to RHEL. It talks about a flaw in my original
implementation of mmap_min_addr upstream. Since RHEL never implemented this at
all there is no flaw in the original implementation. (mind you we have no
protection, but at least from what I can read about this CVE it isn't applicable
to us at all)
This CVE would apply to fedora which shipped a 2.6.24 kernel.
To make the mmap protection work right in 2.6.23, commit
7cd94146cd504016315608e297219f9fb7b1413b is needed too. Otherwise programs using
mmap address hints may fail mysteriously if the hint address is below the minimum.
Can we close this bug, it's been long fixed in fedora....