Red Hat Bugzilla – Bug 512673
kernel: security: root-exploit if tun not set
Last modified: 2009-07-23 01:29:35 EDT
Haven't found this on bugzilla, it is from Friday 2009-07-17, posted on heise security.
Description of problem:
Brad Spengler, the developer behind the Grsecurity project, has published an exploit for a vulnerability in the Tun interface in Linux kernel 2.6.30 and 2.6.18, used in Red Hat Enterprise Linux 5 (RHEL5), which can be exploited by attackers to obtain root privileges. Of particular interest is the fact that the exploit is even able to circumvent security extensions such as SELinux. According to Spengler's report, the vulnerability is only found in these two versions of the kernel. The core of the problem is a normally non-exploitable null pointer dereference, which becomes exploitable due to the GCC's optimisation function.
Version-Release number of selected component (if applicable):
Kernels 2.6.18 with backports (all of RHEL5) and kernels 2.6.30
Future kernel versions will be compiled using the "fno-delete-null-pointer-checks" option, so that the compiler no longer eliminates checks for null pointers. A debate on lwn.net shows a split in opinion on whether this is GCC optimising code to breaking point, or a programming error.
This security bug is known as CVE-2009-1897, duplicated with bz512284.
*** This bug has been marked as a duplicate of bug 512284 ***