Hide Forgot
Description of problem: commit f9fabcb58a6d26d6efde842d1703ac7cfa9427b6 Author: Julien Tinnes <jt@cr0.org> Date: Fri Jun 26 20:27:40 2009 +0200 personality: fix PER_CLEAR_ON_SETID We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO. The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE. We believe it is important to add MMAP_PAGE_ZERO, because by using this personality it is possible to have the first page mapped inside a process running as setuid root. This could be used in those scenarios: - Exploiting a NULL pointer dereference issue in a setuid root binary - Bypassing the mmap_min_addr restrictions of the Linux kernel: by running a setuid binary that would drop privileges before giving us control back (for instance by loading a user-supplied library), we could get the first page mapped in a process we control. By further using mremap and mprotect on this mapping, we can then completely bypass the mmap_min_addr restrictions. Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added since on x86 32bits it will in practice disable most of the address space layout randomization (only the stack will remain randomized). Signed-off-by: Julien Tinnes <jt@cr0.org> Signed-off-by: Tavis Ormandy <taviso@sdf.lonestar.org> Cc: stable@kernel.org Acked-by: Christoph Hellwig <hch@infradead.org> Acked-by: Kees Cook <kees@ubuntu.com> Acked-by: Eugene Teo <eugene@redhat.com> [ Shortened lines and fixed whitespace as per Christophs' suggestion ] Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Upstream commit: http://git.kernel.org/linus/f9fabcb58a6d26d6efde842d1703ac7cfa9427b6
Informed oss-security: http://www.openwall.com/lists/oss-security/2009/07/16/1
MITRE's CVE-2009-1895 entry: The personality subsystem in the Linux kernel before 2.6.31-rc3 has a PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags when executing a setuid or setgid program, which makes it easier for local users to leverage the details of memory usage to (1) conduct NULL pointer dereference attacks, (2) bypass the mmap_min_addr protection mechanism, or (3) defeat address space layout randomization (ASLR). References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1895 http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f9fabcb58a6d26d6efde842d1703ac7cfa9427b6 http://patchwork.kernel.org/patch/32598/ http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc3 https://bugs.launchpad.net/bugs/cve/2009-1895 http://www.securityfocus.com/bid/35647 http://www.osvdb.org/55807 http://secunia.com/advisories/35801 http://www.vupen.com/english/advisories/2009/1866
kernel-2.6.29.6-217.2.3.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/kernel-2.6.29.6-217.2.3.fc11
kernel-2.6.27.29-170.2.78.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/kernel-2.6.27.29-170.2.78.fc10
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1193 https://rhn.redhat.com/errata/RHSA-2009-1193.html
kernel-2.6.27.29-170.2.78.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
kernel-2.6.29.6-217.2.3.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
Kbase article: http://kbase.redhat.com/faq/docs/DOC-17866
Is there an ETA as to when the patch for RHEL 4 will be released?
(In reply to comment #10) > Is there an ETA as to when the patch for RHEL 4 will be released? It will be addressed in the next update. The schedule for this is not confirmed yet. Feel free to send us an email at secalert@redhat.com instead. Thanks.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2009:1438 https://rhn.redhat.com/errata/RHSA-2009-1438.html
This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2009:1540 https://rhn.redhat.com/errata/RHSA-2009-1540.html
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Via RHSA-2009:1550 https://rhn.redhat.com/errata/RHSA-2009-1550.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5.2 Z Stream Via RHSA-2010:0079 https://rhn.redhat.com/errata/RHSA-2010-0079.html