Bug 631623 (CVE-2010-3079) - CVE-2010-3079 kernel: ftrace NULL ptr deref
Summary: CVE-2010-3079 kernel: ftrace NULL ptr deref
Keywords:
Status: NEW
Alias: CVE-2010-3079
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,reported=20100908,pub...
Depends On: 631624 631625 631626
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-09-08 02:23 UTC by Eugene Teo (Security Response)
Modified: 2019-06-08 13:05 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0842 normal SHIPPED_LIVE Important: kernel security and bug fix update 2010-11-22 19:34:20 UTC

Description Eugene Teo (Security Response) 2010-09-08 02:23:44 UTC
Description of problem:
It requires debugfs to be mounted on a local system

$ mount | grep debugfs
none on /sys/kernel/debug type debugfs (rw)
none on /var/lib/ureadahead/debugfs type debugfs (rw,relatime)

Tested with Ubuntu Maverick 10.04.1 with kernel 2.6.32-24-generic-pae. It's probably not exploitable in any meaningful way, although it produces page fault in kernel mode, and makes subsequent processes opening /sys/kernel/debug/tracing/set_ftrace_filter (or set_ftrace_notrace) unkillable, so it's a little bit of a DoS (or at least, annoyance).

Found via one of Tavis Ormandy's tools, I just quickly analyzed it and provided a testcase.

Acknowledgements:

Red Hat would like to thank Robert Swiecki of Google Security Team for reporting this issue.

Comment 3 Eugene Teo (Security Response) 2010-09-08 02:38:45 UTC
Statement:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and 5, as they do not include support for Ftrace. It did not affect Red Hat Enterprise MRG as it did not contain the upstream commit 8fc0c701 that introduced this flaw.

Comment 4 Eugene Teo (Security Response) 2010-09-08 02:42:20 UTC
Debugfs is not mounted by default. You need to run "mount -t debugfs nodev /sys/kernel/debug" as root first.

Comment 5 Eugene Teo (Security Response) 2010-09-09 02:45:35 UTC
Patch:
http://git.kernel.org/tip/9c55cb12c1c172e2d51e85fbb5a4796ca86b77e7

Comment 7 Chuck Ebbert 2010-09-21 03:32:02 UTC
Fixed in 2.6.27.54, 2.6.32.22 and 2.6.35.5

Comment 8 errata-xmlrpc 2010-11-10 19:09:41 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html

Comment 9 errata-xmlrpc 2010-11-22 19:35:31 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html


Note You need to log in before you can comment on or make changes to this bug.