Bug 511171 (CVE-2009-1895) - CVE-2009-1895 kernel: personality: fix PER_CLEAR_ON_SETID
Summary: CVE-2009-1895 kernel: personality: fix PER_CLEAR_ON_SETID
Status: CLOSED ERRATA
Alias: CVE-2009-1895
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,source=lkml,public=2...
Keywords: Security
Depends On: 504072 508842 508843 508845 508846 511172 511173 549236 1650673
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-14 01:51 UTC by Eugene Teo (Security Response)
Modified: 2019-06-08 12:47 UTC (History)
7 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-06-10 22:31:42 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1193 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-08-04 13:15:15 UTC
Red Hat Product Errata RHSA-2009:1438 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-09-15 08:30:27 UTC
Red Hat Product Errata RHSA-2009:1540 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2009-11-03 18:21:07 UTC
Red Hat Product Errata RHSA-2009:1550 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-11-03 21:59:47 UTC
Red Hat Product Errata RHSA-2010:0079 normal SHIPPED_LIVE Important: kernel security and bug fix update 2010-02-02 21:01:07 UTC

Description Eugene Teo (Security Response) 2009-07-14 01:51:36 UTC 
Description of problem:
commit f9fabcb58a6d26d6efde842d1703ac7cfa9427b6
Author: Julien Tinnes <jt@cr0.org>
Date:   Fri Jun 26 20:27:40 2009 +0200

    personality: fix PER_CLEAR_ON_SETID

    We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
    include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.

    The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.

    We believe it is important to add MMAP_PAGE_ZERO, because by using this
    personality it is possible to have the first page mapped inside a
    process running as setuid root.  This could be used in those scenarios:

     - Exploiting a NULL pointer dereference issue in a setuid root binary
     - Bypassing the mmap_min_addr restrictions of the Linux kernel: by
       running a setuid binary that would drop privileges before giving us
       control back (for instance by loading a user-supplied library), we
       could get the first page mapped in a process we control.  By further
       using mremap and mprotect on this mapping, we can then completely
       bypass the mmap_min_addr restrictions.

    Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
    since on x86 32bits it will in practice disable most of the address
    space layout randomization (only the stack will remain randomized).

    Signed-off-by: Julien Tinnes <jt@cr0.org>
    Signed-off-by: Tavis Ormandy <taviso@sdf.lonestar.org>
    Cc: stable@kernel.org
    Acked-by: Christoph Hellwig <hch@infradead.org>
    Acked-by: Kees Cook <kees@ubuntu.com>
    Acked-by: Eugene Teo <eugene@redhat.com>
    [ Shortened lines and fixed whitespace as per Christophs' suggestion ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Upstream commit:
http://git.kernel.org/linus/f9fabcb58a6d26d6efde842d1703ac7cfa9427b6
Comment 2 Eugene Teo (Security Response) 2009-07-16 06:52:22 UTC 
Informed oss-security:
http://www.openwall.com/lists/oss-security/2009/07/16/1
Comment 3 Jan Lieskovsky 2009-07-16 15:51:44 UTC 
MITRE's CVE-2009-1895 entry:

The personality subsystem in the Linux kernel before 2.6.31-rc3 has a
PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT
and MMAP_PAGE_ZERO flags when executing a setuid or setgid program,
which makes it easier for local users to leverage the details of
memory usage to (1) conduct NULL pointer dereference attacks, (2)
bypass the mmap_min_addr protection mechanism, or (3) defeat address
space layout randomization (ASLR).

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1895
http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f9fabcb58a6d26d6efde842d1703ac7cfa9427b6
http://patchwork.kernel.org/patch/32598/
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc3
https://bugs.launchpad.net/bugs/cve/2009-1895
http://www.securityfocus.com/bid/35647
http://www.osvdb.org/55807
http://secunia.com/advisories/35801
http://www.vupen.com/english/advisories/2009/1866
Comment 4 Fedora Update System 2009-07-29 22:26:01 UTC 
kernel-2.6.29.6-217.2.3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kernel-2.6.29.6-217.2.3.fc11
Comment 5 Fedora Update System 2009-08-03 16:58:54 UTC 
kernel-2.6.27.29-170.2.78.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kernel-2.6.27.29-170.2.78.fc10
Comment 6 errata-xmlrpc 2009-08-04 13:15:35 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1193 https://rhn.redhat.com/errata/RHSA-2009-1193.html
Comment 7 Fedora Update System 2009-08-05 00:30:13 UTC 
kernel-2.6.27.29-170.2.78.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2009-08-05 00:35:38 UTC 
kernel-2.6.29.6-217.2.3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Eugene Teo (Security Response) 2009-08-05 11:18:21 UTC 
Kbase article: http://kbase.redhat.com/faq/docs/DOC-17866
Comment 10 wsmith23_2001 2009-08-10 18:19:19 UTC 
Is there an ETA as to when the patch for RHEL 4 will be released?
Comment 11 Eugene Teo (Security Response) 2009-08-11 03:52:51 UTC 
(In reply to comment #10)
> Is there an ETA as to when the patch for RHEL 4 will be released?  

It will be addressed in the next update. The schedule for this is not confirmed yet. Feel free to send us an email at secalert@redhat.com instead. Thanks.
Comment 13 errata-xmlrpc 2009-09-15 08:30:32 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1438 https://rhn.redhat.com/errata/RHSA-2009-1438.html
Comment 14 errata-xmlrpc 2009-11-03 18:21:10 UTC 
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1540 https://rhn.redhat.com/errata/RHSA-2009-1540.html
Comment 16 errata-xmlrpc 2009-11-03 22:03:22 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1550 https://rhn.redhat.com/errata/RHSA-2009-1550.html
Comment 19 errata-xmlrpc 2010-02-02 21:01:48 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.2 Z Stream

Via RHSA-2010:0079 https://rhn.redhat.com/errata/RHSA-2010-0079.html
Note You need to log in before you can comment on or make changes to this bug.