Description of problem: Eric Paris has commited upstream the following check: Given a specifically crafted binary do_brk() can be used to get low pages available in userspace virtual memory and can thus be used to circumvent the mmap_min_addr low memory protection. Add security checks in do_brk(). <cite from CVE description> Linux kernel 2.6.23 allows local users to create low pages in virtual userspace memory and bypass mmap_min_addr protection via a crafted executable file that calls the do_brk function. </cite> The patch provided in the upstream commit above (See URL).
This bug is filled against the FC8 kernel (2.6.23.1-42.fc8 and later). This bug (CVE-2007-6434) doesn't affect RHEL kernels from 2.1 up to 5.2. The affected feature was introduced in the upstream kernel starting from version 2.6.23. Eric Paris about this topic: CVE-2007-6434 does not apply to RHEL. It talks about a flaw in my original implementation of mmap_min_addr upstream. Since RHEL never implemented this at all there is no flaw in the original implementation. (mind you we have no protection, but at least from what I can read about this CVE it isn't applicable to us at all) This CVE would apply to fedora which shipped a 2.6.24 kernel.
To make the mmap protection work right in 2.6.23, commit 7cd94146cd504016315608e297219f9fb7b1413b is needed too. Otherwise programs using mmap address hints may fail mysteriously if the hint address is below the minimum.
Reference: http://lkml.org/lkml/2007/12/4/182
Can we close this bug, it's been long fixed in fedora....