Description of problem: Vulnerability Details - --------------------- On Linux, recvmsg() style socket calls are performed using iovec structs, which allow a user to specify a base address and size for a buffer used to receive socket data. Each packet family is responsible for defining functions that copy socket data, which is received by the kernel, back to user space to allow user programs to process and handle received network data. When performing this copying of data to user space, the RDS protocol failed to verify that the base address of a user-provided iovec struct pointed to a valid userspace address before using the __copy_to_user_inatomic() function to copy the data. As a result, by providing a kernel address as an iovec base and issuing a recvmsg() style socket call, a local user could write arbitrary data into kernel memory. This can be leveraged to escalate privileges to root. Please make updates for all currently stable releases, F12 and F13. Thank you. Version-Release number of selected component (if applicable): 2.6.34.7-56.fc13.i686.PAE 2.6.32.21-168.fc12.i686.PAE How reproducible: Always exploitable Steps to Reproduce: And the updated exploit is available at: http://www.vsecurity.com/download/tools/linux-rds-exploit.c Actual results: got root access Additional info: http://www.vsecurity.com/resources/advisory/20101019-1/
This upstream commit is supposed to fix the bug: commit 799c10559d60f159ab2232203f222f18fa3c4a5f Author: Linus Torvalds <torvalds> Date: Fri Oct 15 11:09:28 2010 -0700 De-pessimize rds_page_copy_user
Fedora 12 kernel-2.6.32.23-170.fc12.x86_64 also has this problem
Still no sign of an updated kernel for F12 in koji. F13 and F14 seem to have a kernel built for them although I don't think they have been pushed to testing yet, I've implemented the work-around, mentioned in the link above: echo "alias net-pf-21 off" > /etc/modprobe.d/disable-rds which stops the exploit.
Sorry, somehow the last round of stable updates went missing due to a failed build. Fixed.