Bug 512284 (CVE-2009-1897) - CVE-2009-1897 kernel: tun/tap: Fix crashes if open() /dev/net/tun and then poll() it
Summary: CVE-2009-1897 kernel: tun/tap: Fix crashes if open() /dev/net/tun and then po...
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2009-1897
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 512673 (view as bug list)
Depends On: 512285 512286
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-17 03:48 UTC by Eugene Teo (Security Response)
Modified: 2021-11-12 19:58 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-21 18:00:54 UTC
Embargoed:


Attachments (Terms of Use)

Description Eugene Teo (Security Response) 2009-07-17 03:48:45 UTC
Reported by Eugene Kapun:
Fix NULL pointer dereference in tun_chr_pool() introduced by commit 33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 ("tun: Limit amount of queued packets per device") and triggered by this code:

    int fd;
    struct pollfd pfd;
    fd = open("/dev/net/tun", O_RDWR);
    pfd.fd = fd;
    pfd.events = POLLIN | POLLOUT;
    poll(&pfd, 1, 0);

Upstream commit:
http://git.kernel.org/linus/3c8a9c63d5fd738c261bd0ceece04d9c8357ca13

References:
http://lkml.org/lkml/2009/7/6/19
https://bugzilla.redhat.com/show_bug.cgi?id=495863
http://lists.grok.org.uk/pipermail/full-disclosure/2009-July/069714.html
http://git.kernel.org/linus/33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554
http://article.gmane.org/gmane.linux.network/124939
http://git.kernel.org/linus/a3ca86aea507904148870946d599e07a340b39bf

Comment 5 Eugene Teo (Security Response) 2009-07-17 11:23:57 UTC
The Red Hat Security Response Team is aware of the Linux kernel local privilege escalation exploit that is published in a number of security mailing lists and websites. The flaw identified by CVE-2009-1897 is a null pointer dereference vulnerability in the tun_chr_poll() function of the Linux kernel, introduced via the upstream git commit 33dccbb0. This flaw affects kernel versions between 2.6.30-rc1 and 2.6.31-rc3, and was addressed via the upstream git commit 3c8a9c63.

The flaw affects only the Red Hat Enterprise Linux 5.4 beta kernel as the upstream git commit 33dccbb0 was backported to the kernel as a normal bug fix. We will be addressing this flaw in a future update to the beta kernel. It is also possible to mitigate this flaw by ensuring that the permissions for /dev/net/tun is restricted to root only.

The default SELinux policy, in Red Hat Enterprise Linux 5, allows processes in the unconfined domains to map low memory in the kernel. The exploit did not bypass the null pointer dereference protection in the Linux kernel. However, we are updating the selinux-policy package to change this default configuration, so that it prevents the unconfined processes from being able to map the low memory. See bug 511143 for more information.

This issue does not affect any other released kernel in any Red Hat product.

In addition, future updates to Red Hat Enterprise Linux kernels may include the '-fno-delete-null-pointer-checks' gcc CFLAGS. See:
http://git.kernel.org/linus/a3ca86aea507904148870946d599e07a340b39bf

We would like to thank Brad Spengler for bringing these issues to our attention.

Comment 13 Mark J. Cox 2009-07-20 08:54:54 UTC
The CVSS 'access complexity' metric was originally set to AC:M but I incorrectly changed it to AC:L. I've now put it back to AC:M.  This is because by default /dev/net/tun is restricted to root only access, but it's probable that a system owner could have changed the permissions.

Comment 15 Danny Feng 2009-07-23 05:29:35 UTC
*** Bug 512673 has been marked as a duplicate of this bug. ***

Comment 16 Fedora Update System 2009-07-29 22:25:53 UTC
kernel-2.6.29.6-217.2.3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kernel-2.6.29.6-217.2.3.fc11


Note You need to log in before you can comment on or make changes to this bug.