Description of problem: It requires debugfs to be mounted on a local system $ mount | grep debugfs none on /sys/kernel/debug type debugfs (rw) none on /var/lib/ureadahead/debugfs type debugfs (rw,relatime) Tested with Ubuntu Maverick 10.04.1 with kernel 2.6.32-24-generic-pae. It's probably not exploitable in any meaningful way, although it produces page fault in kernel mode, and makes subsequent processes opening /sys/kernel/debug/tracing/set_ftrace_filter (or set_ftrace_notrace) unkillable, so it's a little bit of a DoS (or at least, annoyance). Found via one of Tavis Ormandy's tools, I just quickly analyzed it and provided a testcase. Acknowledgements: Red Hat would like to thank Robert Swiecki of Google Security Team for reporting this issue.
Statement: This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and 5, as they do not include support for Ftrace. It did not affect Red Hat Enterprise MRG as it did not contain the upstream commit 8fc0c701 that introduced this flaw.
Debugfs is not mounted by default. You need to run "mount -t debugfs nodev /sys/kernel/debug" as root first.
Patch: http://git.kernel.org/tip/9c55cb12c1c172e2d51e85fbb5a4796ca86b77e7
Now merged upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=9c55cb12c1c172e2d51e85fbb5a4796ca86b77e7
Fixed in 2.6.27.54, 2.6.32.22 and 2.6.35.5
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html