Red Hat Bugzilla – Bug 512284
CVE-2009-1897 kernel: tun/tap: Fix crashes if open() /dev/net/tun and then poll() it
Last modified: 2010-12-22 04:12:59 EST
Reported by Eugene Kapun:
Fix NULL pointer dereference in tun_chr_pool() introduced by commit 33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 ("tun: Limit amount of queued packets per device") and triggered by this code:
struct pollfd pfd;
fd = open("/dev/net/tun", O_RDWR);
pfd.fd = fd;
pfd.events = POLLIN | POLLOUT;
poll(&pfd, 1, 0);
The Red Hat Security Response Team is aware of the Linux kernel local privilege escalation exploit that is published in a number of security mailing lists and websites. The flaw identified by CVE-2009-1897 is a null pointer dereference vulnerability in the tun_chr_poll() function of the Linux kernel, introduced via the upstream git commit 33dccbb0. This flaw affects kernel versions between 2.6.30-rc1 and 2.6.31-rc3, and was addressed via the upstream git commit 3c8a9c63.
The flaw affects only the Red Hat Enterprise Linux 5.4 beta kernel as the upstream git commit 33dccbb0 was backported to the kernel as a normal bug fix. We will be addressing this flaw in a future update to the beta kernel. It is also possible to mitigate this flaw by ensuring that the permissions for /dev/net/tun is restricted to root only.
The default SELinux policy, in Red Hat Enterprise Linux 5, allows processes in the unconfined domains to map low memory in the kernel. The exploit did not bypass the null pointer dereference protection in the Linux kernel. However, we are updating the selinux-policy package to change this default configuration, so that it prevents the unconfined processes from being able to map the low memory. See bug 511143 for more information.
This issue does not affect any other released kernel in any Red Hat product.
In addition, future updates to Red Hat Enterprise Linux kernels may include the '-fno-delete-null-pointer-checks' gcc CFLAGS. See:
We would like to thank Brad Spengler for bringing these issues to our attention.
The CVSS 'access complexity' metric was originally set to AC:M but I incorrectly changed it to AC:L. I've now put it back to AC:M. This is because by default /dev/net/tun is restricted to root only access, but it's probable that a system owner could have changed the permissions.
MITRE's CVE-2009-1897 entry:
The tun_chr_poll function in drivers/net/tun.c in the tun
subsystem in the Linux kernel 2.6.30 and 18.104.22.168, when
the -fno-delete-null-pointer-checks gcc option is omitted,
allows local users to gain privileges via vectors involving
a NULL pointer dereference and an mmap of /dev/net/tun,
a different vulnerability than CVE-2009-1894.
*** Bug 512673 has been marked as a duplicate of this bug. ***
kernel-22.214.171.124-217.2.3.fc11 has been submitted as an update for Fedora 11.