Bug 511171 - (CVE-2009-1895) CVE-2009-1895 kernel: personality: fix PER_CLEAR_ON_SETID
CVE-2009-1895 kernel: personality: fix PER_CLEAR_ON_SETID
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,source=lkml,public=2...
: Security
Depends On: 504072 508842 508843 508845 508846 511172 511173 549236
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-13 21:51 EDT by Eugene Teo (Security Response)
Modified: 2016-06-10 18:31 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-06-10 18:31:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2009-07-13 21:51:36 EDT
Description of problem:
commit f9fabcb58a6d26d6efde842d1703ac7cfa9427b6
Author: Julien Tinnes <jt@cr0.org>
Date:   Fri Jun 26 20:27:40 2009 +0200

    personality: fix PER_CLEAR_ON_SETID

    We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
    include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.

    The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.

    We believe it is important to add MMAP_PAGE_ZERO, because by using this
    personality it is possible to have the first page mapped inside a
    process running as setuid root.  This could be used in those scenarios:

     - Exploiting a NULL pointer dereference issue in a setuid root binary
     - Bypassing the mmap_min_addr restrictions of the Linux kernel: by
       running a setuid binary that would drop privileges before giving us
       control back (for instance by loading a user-supplied library), we
       could get the first page mapped in a process we control.  By further
       using mremap and mprotect on this mapping, we can then completely
       bypass the mmap_min_addr restrictions.

    Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
    since on x86 32bits it will in practice disable most of the address
    space layout randomization (only the stack will remain randomized).

    Signed-off-by: Julien Tinnes <jt@cr0.org>
    Signed-off-by: Tavis Ormandy <taviso@sdf.lonestar.org>
    Cc: stable@kernel.org
    Acked-by: Christoph Hellwig <hch@infradead.org>
    Acked-by: Kees Cook <kees@ubuntu.com>
    Acked-by: Eugene Teo <eugene@redhat.com>
    [ Shortened lines and fixed whitespace as per Christophs' suggestion ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Upstream commit:
http://git.kernel.org/linus/f9fabcb58a6d26d6efde842d1703ac7cfa9427b6
Comment 2 Eugene Teo (Security Response) 2009-07-16 02:52:22 EDT
Informed oss-security:
http://www.openwall.com/lists/oss-security/2009/07/16/1
Comment 3 Jan Lieskovsky 2009-07-16 11:51:44 EDT
MITRE's CVE-2009-1895 entry:

The personality subsystem in the Linux kernel before 2.6.31-rc3 has a
PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT
and MMAP_PAGE_ZERO flags when executing a setuid or setgid program,
which makes it easier for local users to leverage the details of
memory usage to (1) conduct NULL pointer dereference attacks, (2)
bypass the mmap_min_addr protection mechanism, or (3) defeat address
space layout randomization (ASLR).

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1895
http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f9fabcb58a6d26d6efde842d1703ac7cfa9427b6
http://patchwork.kernel.org/patch/32598/
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc3
https://bugs.launchpad.net/bugs/cve/2009-1895
http://www.securityfocus.com/bid/35647
http://www.osvdb.org/55807
http://secunia.com/advisories/35801
http://www.vupen.com/english/advisories/2009/1866
Comment 4 Fedora Update System 2009-07-29 18:26:01 EDT
kernel-2.6.29.6-217.2.3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kernel-2.6.29.6-217.2.3.fc11
Comment 5 Fedora Update System 2009-08-03 12:58:54 EDT
kernel-2.6.27.29-170.2.78.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kernel-2.6.27.29-170.2.78.fc10
Comment 6 errata-xmlrpc 2009-08-04 09:15:35 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1193 https://rhn.redhat.com/errata/RHSA-2009-1193.html
Comment 7 Fedora Update System 2009-08-04 20:30:13 EDT
kernel-2.6.27.29-170.2.78.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2009-08-04 20:35:38 EDT
kernel-2.6.29.6-217.2.3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Eugene Teo (Security Response) 2009-08-05 07:18:21 EDT
Kbase article: http://kbase.redhat.com/faq/docs/DOC-17866
Comment 10 wsmith23_2001 2009-08-10 14:19:19 EDT
Is there an ETA as to when the patch for RHEL 4 will be released?
Comment 11 Eugene Teo (Security Response) 2009-08-10 23:52:51 EDT
(In reply to comment #10)
> Is there an ETA as to when the patch for RHEL 4 will be released?  

It will be addressed in the next update. The schedule for this is not confirmed yet. Feel free to send us an email at secalert@redhat.com instead. Thanks.
Comment 13 errata-xmlrpc 2009-09-15 04:30:32 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1438 https://rhn.redhat.com/errata/RHSA-2009-1438.html
Comment 14 errata-xmlrpc 2009-11-03 13:21:10 EST
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1540 https://rhn.redhat.com/errata/RHSA-2009-1540.html
Comment 16 errata-xmlrpc 2009-11-03 17:03:22 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1550 https://rhn.redhat.com/errata/RHSA-2009-1550.html
Comment 19 errata-xmlrpc 2010-02-02 16:01:48 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.2 Z Stream

Via RHSA-2010:0079 https://rhn.redhat.com/errata/RHSA-2010-0079.html

Note You need to log in before you can comment on or make changes to this bug.