Bug 680841 (CVE-2011-1021) - CVE-2011-1021 kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions
Summary: CVE-2011-1021 kernel: /sys/kernel/debug/acpi/custom_method can bypass module ...
Alias: CVE-2011-1021
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: Engineering680844
Blocks: Embargoed717862
TreeView+ depends on / blocked
Reported: 2011-02-28 06:26 UTC by Eugene Teo (Security Response)
Modified: 2021-06-03 12:05 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-03-01 14:46:34 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1253 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2011-09-12 19:43:48 UTC

Description Eugene Teo (Security Response) 2011-02-28 06:26:29 UTC
Since /sys/kernel/debug/acpi/custom_method can be used to write arbitrary kernel memory (http://jon.oberheide.org/files/american-sign-language.c), it should be able to be left out of the kernel for system owners that want to be as defensive as possible to potential attacks, even from the root user. See as examples: CONFIG_DEVKMEM, CONFIG_STRICT_DEVMEM, and /proc/sys/kernel/modules_disabled.


Comment 5 John Kacur 2011-04-18 22:02:35 UTC
I believe this is the upstream solution

Comment 9 Eugene Teo (Security Response) 2011-06-06 02:58:48 UTC

The version of Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, and 6 as they did not include upstream commit a1a541d8 and a25ee920 that introduced the problem. This has been addressed in Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-1253.html.


This requires debugfs to be mounted on a local system in order to have access
to the custom_method file. Debugfs is not mounted by default. You need to run
"mount -t debugfs nodev /sys/kernel/debug" as root first.

Comment 10 Eugene Teo (Security Response) 2011-06-08 02:43:20 UTC
(In reply to comment #5)
> I believe this is the upstream solution
> ed3aada1bf34c5a9e98af167f125f8a740fc726a

No this is not the upstream solution. This patch is for CVE-2010-4347. For CVE-2011-1021, please refer to https://lkml.org/lkml/2011/2/22/369.

Comment 11 errata-xmlrpc 2011-09-12 19:46:21 UTC
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2011:1253 https://rhn.redhat.com/errata/RHSA-2011-1253.html

Note You need to log in before you can comment on or make changes to this bug.