Bug 680841 - (CVE-2011-1021) CVE-2011-1021 kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions
CVE-2011-1021 kernel: /sys/kernel/debug/acpi/custom_method can bypass module ...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Reopened, Security
Depends On: 680844
Blocks: 717862
  Show dependency treegraph
Reported: 2011-02-28 01:26 EST by Eugene Teo (Security Response)
Modified: 2016-05-22 19:36 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-03-01 09:46:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2011-02-28 01:26:29 EST
Since /sys/kernel/debug/acpi/custom_method can be used to write arbitrary kernel memory (http://jon.oberheide.org/files/american-sign-language.c), it should be able to be left out of the kernel for system owners that want to be as defensive as possible to potential attacks, even from the root user. See as examples: CONFIG_DEVKMEM, CONFIG_STRICT_DEVMEM, and /proc/sys/kernel/modules_disabled.

Comment 5 John Kacur 2011-04-18 18:02:35 EDT
I believe this is the upstream solution
Comment 9 Eugene Teo (Security Response) 2011-06-05 22:58:48 EDT

The version of Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, and 6 as they did not include upstream commit a1a541d8 and a25ee920 that introduced the problem. This has been addressed in Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-1253.html.


This requires debugfs to be mounted on a local system in order to have access
to the custom_method file. Debugfs is not mounted by default. You need to run
"mount -t debugfs nodev /sys/kernel/debug" as root first.
Comment 10 Eugene Teo (Security Response) 2011-06-07 22:43:20 EDT
(In reply to comment #5)
> I believe this is the upstream solution
> ed3aada1bf34c5a9e98af167f125f8a740fc726a

No this is not the upstream solution. This patch is for CVE-2010-4347. For CVE-2011-1021, please refer to https://lkml.org/lkml/2011/2/22/369.
Comment 11 errata-xmlrpc 2011-09-12 15:46:21 EDT
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2011:1253 https://rhn.redhat.com/errata/RHSA-2011-1253.html

Note You need to log in before you can comment on or make changes to this bug.