Bug 512673 - kernel: security: root-exploit if tun not set
Summary: kernel: security: root-exploit if tun not set
Keywords:
Status: CLOSED DUPLICATE of bug 512284
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.3
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Danny Feng
QA Contact: Red Hat Kernel QE team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-20 10:35 UTC by Gerrit Slomma
Modified: 2009-07-23 05:29 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-07-23 05:29:35 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Gerrit Slomma 2009-07-20 10:35:39 UTC
Haven't found this on bugzilla, it is from Friday 2009-07-17, posted on heise security.

Description of problem:

Brad Spengler, the developer behind the Grsecurity project, has published an exploit for a vulnerability in the Tun interface in Linux kernel 2.6.30 and 2.6.18, used in Red Hat Enterprise Linux 5 (RHEL5), which can be exploited by attackers to obtain root privileges. Of particular interest is the fact that the exploit is even able to circumvent security extensions such as SELinux. According to Spengler's report, the vulnerability is only found in these two versions of the kernel. The core of the problem is a normally non-exploitable null pointer dereference, which becomes exploitable due to the GCC's optimisation function.

Version-Release number of selected component (if applicable):

Kernels 2.6.18 with backports (all of RHEL5) and kernels 2.6.30

Expected Result:

Future kernel versions will be compiled using the "fno-delete-null-pointer-checks" option, so that the compiler no longer eliminates checks for null pointers. A debate on lwn.net shows a split in opinion on whether this is GCC optimising code to breaking point, or a programming error.

Additional info:

http://www.h-online.com/security/Root-exploit-for-Linux-kernel-published--/news/113791
http://lists.grok.org.uk/pipermail/full-disclosure/2009-July/069714.html

Comment 1 Danny Feng 2009-07-23 05:29:35 UTC
This security bug is known as CVE-2009-1897, duplicated with bz512284.

*** This bug has been marked as a duplicate of bug 512284 ***


Note You need to log in before you can comment on or make changes to this bug.