511171 – (CVE-2009-1895) CVE-2009-1895 kernel: personality: fix PER_CLEAR_ON_SETID

Bug 511171 (CVE-2009-1895) - CVE-2009-1895 kernel: personality: fix PER_CLEAR_ON_SETID

Summary: CVE-2009-1895 kernel: personality: fix PER_CLEAR_ON_SETID

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2009-1895
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	504072 508842 508843 508845 508846 511172 511173 549236 1650673
Blocks:
TreeView+	depends on / blocked

Reported:	2009-07-14 01:51 UTC by Eugene Teo (Security Response)
Modified:	2019-09-29 12:30 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-06-10 22:31:42 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2009:1193	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2009-08-04 13:15:15 UTC
Red Hat Product Errata	RHSA-2009:1438	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2009-09-15 08:30:27 UTC
Red Hat Product Errata	RHSA-2009:1540	normal	SHIPPED_LIVE	Important: kernel-rt security, bug fix, and enhancement update	2009-11-03 18:21:07 UTC
Red Hat Product Errata	RHSA-2009:1550	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2009-11-03 21:59:47 UTC
Red Hat Product Errata	RHSA-2010:0079	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2010-02-02 21:01:07 UTC

Description Eugene Teo (Security Response) 2009-07-14 01:51:36 UTC

Description of problem:
commit f9fabcb58a6d26d6efde842d1703ac7cfa9427b6
Author: Julien Tinnes <jt@cr0.org>
Date:   Fri Jun 26 20:27:40 2009 +0200

    personality: fix PER_CLEAR_ON_SETID

    We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
    include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.

    The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.

    We believe it is important to add MMAP_PAGE_ZERO, because by using this
    personality it is possible to have the first page mapped inside a
    process running as setuid root.  This could be used in those scenarios:

     - Exploiting a NULL pointer dereference issue in a setuid root binary
     - Bypassing the mmap_min_addr restrictions of the Linux kernel: by
       running a setuid binary that would drop privileges before giving us
       control back (for instance by loading a user-supplied library), we
       could get the first page mapped in a process we control.  By further
       using mremap and mprotect on this mapping, we can then completely
       bypass the mmap_min_addr restrictions.

    Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
    since on x86 32bits it will in practice disable most of the address
    space layout randomization (only the stack will remain randomized).

    Signed-off-by: Julien Tinnes <jt@cr0.org>
    Signed-off-by: Tavis Ormandy <taviso@sdf.lonestar.org>
    Cc: stable@kernel.org
    Acked-by: Christoph Hellwig <hch@infradead.org>
    Acked-by: Kees Cook <kees@ubuntu.com>
    Acked-by: Eugene Teo <eugene@redhat.com>
    [ Shortened lines and fixed whitespace as per Christophs' suggestion ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Upstream commit:
http://git.kernel.org/linus/f9fabcb58a6d26d6efde842d1703ac7cfa9427b6

Comment 2 Eugene Teo (Security Response) 2009-07-16 06:52:22 UTC

Informed oss-security:
http://www.openwall.com/lists/oss-security/2009/07/16/1

Comment 3 Jan Lieskovsky 2009-07-16 15:51:44 UTC

MITRE's CVE-2009-1895 entry:

The personality subsystem in the Linux kernel before 2.6.31-rc3 has a
PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT
and MMAP_PAGE_ZERO flags when executing a setuid or setgid program,
which makes it easier for local users to leverage the details of
memory usage to (1) conduct NULL pointer dereference attacks, (2)
bypass the mmap_min_addr protection mechanism, or (3) defeat address
space layout randomization (ASLR).

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1895
http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f9fabcb58a6d26d6efde842d1703ac7cfa9427b6
http://patchwork.kernel.org/patch/32598/
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc3
https://bugs.launchpad.net/bugs/cve/2009-1895
http://www.securityfocus.com/bid/35647
http://www.osvdb.org/55807
http://secunia.com/advisories/35801
http://www.vupen.com/english/advisories/2009/1866

Comment 4 Fedora Update System 2009-07-29 22:26:01 UTC

kernel-2.6.29.6-217.2.3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kernel-2.6.29.6-217.2.3.fc11

Comment 5 Fedora Update System 2009-08-03 16:58:54 UTC

kernel-2.6.27.29-170.2.78.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kernel-2.6.27.29-170.2.78.fc10

Comment 6 errata-xmlrpc 2009-08-04 13:15:35 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1193 https://rhn.redhat.com/errata/RHSA-2009-1193.html

Comment 7 Fedora Update System 2009-08-05 00:30:13 UTC

kernel-2.6.27.29-170.2.78.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2009-08-05 00:35:38 UTC

kernel-2.6.29.6-217.2.3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Eugene Teo (Security Response) 2009-08-05 11:18:21 UTC

Kbase article: http://kbase.redhat.com/faq/docs/DOC-17866

Comment 10 wsmith23_2001 2009-08-10 18:19:19 UTC

Is there an ETA as to when the patch for RHEL 4 will be released?

Comment 11 Eugene Teo (Security Response) 2009-08-11 03:52:51 UTC

(In reply to comment #10)
> Is there an ETA as to when the patch for RHEL 4 will be released?  

It will be addressed in the next update. The schedule for this is not confirmed yet. Feel free to send us an email at secalert@redhat.com instead. Thanks.

Comment 13 errata-xmlrpc 2009-09-15 08:30:32 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1438 https://rhn.redhat.com/errata/RHSA-2009-1438.html

Comment 14 errata-xmlrpc 2009-11-03 18:21:10 UTC

This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1540 https://rhn.redhat.com/errata/RHSA-2009-1540.html

Comment 16 errata-xmlrpc 2009-11-03 22:03:22 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1550 https://rhn.redhat.com/errata/RHSA-2009-1550.html

Comment 19 errata-xmlrpc 2010-02-02 21:01:48 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.2 Z Stream

Via RHSA-2010:0079 https://rhn.redhat.com/errata/RHSA-2010-0079.html

Note You need to log in before you can comment on or make changes to this bug.