Reported by Eugene Kapun: Fix NULL pointer dereference in tun_chr_pool() introduced by commit 33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 ("tun: Limit amount of queued packets per device") and triggered by this code: int fd; struct pollfd pfd; fd = open("/dev/net/tun", O_RDWR); pfd.fd = fd; pfd.events = POLLIN | POLLOUT; poll(&pfd, 1, 0); Upstream commit: http://git.kernel.org/linus/3c8a9c63d5fd738c261bd0ceece04d9c8357ca13 References: http://lkml.org/lkml/2009/7/6/19 https://bugzilla.redhat.com/show_bug.cgi?id=495863 http://lists.grok.org.uk/pipermail/full-disclosure/2009-July/069714.html http://git.kernel.org/linus/33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 http://article.gmane.org/gmane.linux.network/124939 http://git.kernel.org/linus/a3ca86aea507904148870946d599e07a340b39bf
The Red Hat Security Response Team is aware of the Linux kernel local privilege escalation exploit that is published in a number of security mailing lists and websites. The flaw identified by CVE-2009-1897 is a null pointer dereference vulnerability in the tun_chr_poll() function of the Linux kernel, introduced via the upstream git commit 33dccbb0. This flaw affects kernel versions between 2.6.30-rc1 and 2.6.31-rc3, and was addressed via the upstream git commit 3c8a9c63. The flaw affects only the Red Hat Enterprise Linux 5.4 beta kernel as the upstream git commit 33dccbb0 was backported to the kernel as a normal bug fix. We will be addressing this flaw in a future update to the beta kernel. It is also possible to mitigate this flaw by ensuring that the permissions for /dev/net/tun is restricted to root only. The default SELinux policy, in Red Hat Enterprise Linux 5, allows processes in the unconfined domains to map low memory in the kernel. The exploit did not bypass the null pointer dereference protection in the Linux kernel. However, we are updating the selinux-policy package to change this default configuration, so that it prevents the unconfined processes from being able to map the low memory. See bug 511143 for more information. This issue does not affect any other released kernel in any Red Hat product. In addition, future updates to Red Hat Enterprise Linux kernels may include the '-fno-delete-null-pointer-checks' gcc CFLAGS. See: http://git.kernel.org/linus/a3ca86aea507904148870946d599e07a340b39bf We would like to thank Brad Spengler for bringing these issues to our attention.
The CVSS 'access complexity' metric was originally set to AC:M but I incorrectly changed it to AC:L. I've now put it back to AC:M. This is because by default /dev/net/tun is restricted to root only access, but it's probable that a system owner could have changed the permissions.
MITRE's CVE-2009-1897 entry: The tun_chr_poll function in drivers/net/tun.c in the tun subsystem in the Linux kernel 2.6.30 and 2.6.30.1, when the -fno-delete-null-pointer-checks gcc option is omitted, allows local users to gain privileges via vectors involving a NULL pointer dereference and an mmap of /dev/net/tun, a different vulnerability than CVE-2009-1894. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1897 http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0241.html http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0246.html http://lkml.org/lkml/2009/7/6/19 http://article.gmane.org/gmane.linux.network/124939 http://www.openwall.com/lists/oss-security/2009/07/17/1 http://grsecurity.net/~spender/cheddar_bay.tgz http://isc.sans.org/diary.html?storyid=6820 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3c8a9c63d5fd738c261bd0ceece04d9c8357ca13 https://bugzilla.redhat.com/show_bug.cgi?id=512284 http://secunia.com/advisories/35839 http://www.vupen.com/english/advisories/2009/1925 http://xforce.iss.net/xforce/xfdb/51803
*** Bug 512673 has been marked as a duplicate of this bug. ***
kernel-2.6.29.6-217.2.3.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/kernel-2.6.29.6-217.2.3.fc11