Bug 512673 - kernel: security: root-exploit if tun not set
kernel: security: root-exploit if tun not set
Status: CLOSED DUPLICATE of bug 512284
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
low Severity medium
: rc
: ---
Assigned To: Danny Feng
Red Hat Kernel QE team
Depends On:
  Show dependency treegraph
Reported: 2009-07-20 06:35 EDT by Gerrit Slomma
Modified: 2009-07-23 01:29 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-23 01:29:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Gerrit Slomma 2009-07-20 06:35:39 EDT
Haven't found this on bugzilla, it is from Friday 2009-07-17, posted on heise security.

Description of problem:

Brad Spengler, the developer behind the Grsecurity project, has published an exploit for a vulnerability in the Tun interface in Linux kernel 2.6.30 and 2.6.18, used in Red Hat Enterprise Linux 5 (RHEL5), which can be exploited by attackers to obtain root privileges. Of particular interest is the fact that the exploit is even able to circumvent security extensions such as SELinux. According to Spengler's report, the vulnerability is only found in these two versions of the kernel. The core of the problem is a normally non-exploitable null pointer dereference, which becomes exploitable due to the GCC's optimisation function.

Version-Release number of selected component (if applicable):

Kernels 2.6.18 with backports (all of RHEL5) and kernels 2.6.30

Expected Result:

Future kernel versions will be compiled using the "fno-delete-null-pointer-checks" option, so that the compiler no longer eliminates checks for null pointers. A debate on lwn.net shows a split in opinion on whether this is GCC optimising code to breaking point, or a programming error.

Additional info:

Comment 1 Danny Feng 2009-07-23 01:29:35 EDT
This security bug is known as CVE-2009-1897, duplicated with bz512284.

*** This bug has been marked as a duplicate of bug 512284 ***

Note You need to log in before you can comment on or make changes to this bug.