680841 – (CVE-2011-1021) CVE-2011-1021 kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions

Bug 680841 (CVE-2011-1021) - CVE-2011-1021 kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions

Summary: CVE-2011-1021 kernel: /sys/kernel/debug/acpi/custom_method can bypass module ...

Keywords:
Status:	ASSIGNED
Alias:	CVE-2011-1021
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	Engineering680844
Blocks:	Embargoed717862
TreeView+	depends on / blocked

Reported:	2011-02-28 06:26 UTC by Eugene Teo (Security Response)
Modified:	2021-06-03 12:05 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-03-01 14:46:34 UTC

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1253	0	normal	SHIPPED_LIVE	Important: kernel-rt security and bug fix update	2011-09-12 19:43:48 UTC

Description Eugene Teo (Security Response) 2011-02-28 06:26:29 UTC

Since /sys/kernel/debug/acpi/custom_method can be used to write arbitrary kernel memory (http://jon.oberheide.org/files/american-sign-language.c), it should be able to be left out of the kernel for system owners that want to be as defensive as possible to potential attacks, even from the root user. See as examples: CONFIG_DEVKMEM, CONFIG_STRICT_DEVMEM, and /proc/sys/kernel/modules_disabled.

https://lkml.org/lkml/2011/2/22/369

Comment 5 John Kacur 2011-04-18 22:02:35 UTC

I believe this is the upstream solution
ed3aada1bf34c5a9e98af167f125f8a740fc726a

Comment 9 Eugene Teo (Security Response) 2011-06-06 02:58:48 UTC

Statement:

The version of Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, and 6 as they did not include upstream commit a1a541d8 and a25ee920 that introduced the problem. This has been addressed in Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-1253.html.

Notes:

This requires debugfs to be mounted on a local system in order to have access
to the custom_method file. Debugfs is not mounted by default. You need to run
"mount -t debugfs nodev /sys/kernel/debug" as root first.

Comment 10 Eugene Teo (Security Response) 2011-06-08 02:43:20 UTC

(In reply to comment #5)
> I believe this is the upstream solution
> ed3aada1bf34c5a9e98af167f125f8a740fc726a

No this is not the upstream solution. This patch is for CVE-2010-4347. For CVE-2011-1021, please refer to https://lkml.org/lkml/2011/2/22/369.

Comment 11 errata-xmlrpc 2011-09-12 19:46:21 UTC

This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2011:1253 https://rhn.redhat.com/errata/RHSA-2011-1253.html

Note You need to log in before you can comment on or make changes to this bug.