Bug 426365 (CVE-2007-6434) - CVE-2007-6434 VM/Security: add security hook to do_brk
Summary: CVE-2007-6434 VM/Security: add security hook to do_brk
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-6434
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://git.kernel.org/?p=linux/kernel...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-12-20 14:58 UTC by Jan Lieskovsky
Modified: 2021-11-12 19:47 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-04-08 21:36:00 UTC
Embargoed:


Attachments (Terms of Use)

Description Jan Lieskovsky 2007-12-20 14:58:57 UTC
Description of problem:

Eric Paris has commited upstream the following check:

Given a specifically crafted binary do_brk() can be used to get low pages
available in userspace virtual memory and can thus be used to circumvent
the mmap_min_addr low memory protection.  Add security checks in do_brk().

<cite from CVE description>

Linux kernel 2.6.23 allows local users to create low pages in virtual userspace
memory and bypass mmap_min_addr protection via a crafted executable file that
calls the do_brk function.

</cite>

The patch provided in the upstream commit above (See URL).

Comment 5 Jan Lieskovsky 2007-12-20 15:11:21 UTC
This bug is filled against the FC8 kernel (2.6.23.1-42.fc8 and later).
This bug (CVE-2007-6434) doesn't affect RHEL kernels from 2.1 up to 5.2.
The affected feature was introduced in the upstream kernel starting from
version 2.6.23. 


Eric Paris about this topic:

CVE-2007-6434 does not apply to RHEL.  It talks about a flaw in my original
implementation of mmap_min_addr upstream.  Since RHEL never implemented this at
all there is no flaw in the original implementation. (mind you we have no
protection, but at least from what I can read about this CVE it isn't applicable
to us at all)

This CVE would apply to fedora which shipped a 2.6.24 kernel.

Comment 6 Chuck Ebbert 2007-12-21 20:41:20 UTC
To make the mmap protection work right in 2.6.23, commit
7cd94146cd504016315608e297219f9fb7b1413b is needed too. Otherwise programs using
mmap address hints may fail mysteriously if the hint address is below the minimum.


Comment 7 Eugene Teo (Security Response) 2008-07-24 06:38:23 UTC
Reference: http://lkml.org/lkml/2007/12/4/182

Comment 8 Eric Paris 2009-08-12 14:03:33 UTC
Can we close this bug, it's been long fixed in fedora....


Note You need to log in before you can comment on or make changes to this bug.