Description of problem:
It requires debugfs to be mounted on a local system
$ mount | grep debugfs
none on /sys/kernel/debug type debugfs (rw)
none on /var/lib/ureadahead/debugfs type debugfs (rw,relatime)
Tested with Ubuntu Maverick 10.04.1 with kernel 2.6.32-24-generic-pae. It's probably not exploitable in any meaningful way, although it produces page fault in kernel mode, and makes subsequent processes opening /sys/kernel/debug/tracing/set_ftrace_filter (or set_ftrace_notrace) unkillable, so it's a little bit of a DoS (or at least, annoyance).
Found via one of Tavis Ormandy's tools, I just quickly analyzed it and provided a testcase.
Red Hat would like to thank Robert Swiecki of Google Security Team for reporting this issue.
This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and 5, as they do not include support for Ftrace. It did not affect Red Hat Enterprise MRG as it did not contain the upstream commit 8fc0c701 that introduced this flaw.
Debugfs is not mounted by default. You need to run "mount -t debugfs nodev /sys/kernel/debug" as root first.
Now merged upstream:
Fixed in 220.127.116.11, 18.104.22.168 and 22.214.171.124
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html