Bug 606611 (CVE-2010-2240) - CVE-2010-2240 kernel: mm: keep a guard page below a grow-down stack segment
Summary: CVE-2010-2240 kernel: mm: keep a guard page below a grow-down stack segment
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-2240
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Andrea Arcangeli
QA Contact:
URL:
Whiteboard:
Depends On: 607853 607854 607855 607856 607857 607858 607859 625364 625634 625635 625636
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-22 04:27 UTC by Eugene Teo (Security Response)
Modified: 2019-09-29 12:37 UTC (History)
43 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-28 08:03:04 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0631 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2010-08-18 07:58:39 UTC
Red Hat Product Errata RHSA-2010:0660 normal SHIPPED_LIVE Important: kernel security and bug fix update 2010-08-30 13:10:32 UTC
Red Hat Product Errata RHSA-2010:0661 normal SHIPPED_LIVE Important: kernel security update 2010-08-30 13:42:59 UTC
Red Hat Product Errata RHSA-2010:0670 normal SHIPPED_LIVE Important: kernel security and bug fix update 2010-09-02 18:00:25 UTC
Red Hat Product Errata RHSA-2010:0676 normal SHIPPED_LIVE Important: kernel security update 2010-09-07 13:56:46 UTC
Red Hat Product Errata RHSA-2010:0677 normal SHIPPED_LIVE Important: kernel security update 2010-09-07 13:59:35 UTC
Red Hat Product Errata RHSA-2010:0882 normal SHIPPED_LIVE Important: kernel security and bug fix update 2010-11-12 09:36:39 UTC

Description Eugene Teo (Security Response) 2010-06-22 04:27:23 UTC
Description of problem:
When an application has a stack overflow, the stack could silently overwrite other memory mapped area instead of causing a segmentation fault.

Acknowledgements:

Red Hat would like to thank the X.Org security team for reporting this issue. Upstream acknowledges Rafal Wojtczuk as the original reporter.

Comment 24 Eugene Teo (Security Response) 2010-08-13 01:44:06 UTC
Linus has committed a fix for this issue:
http://git.kernel.org/linus/320b2b8de12698082609ebbc1a17165727f4c893

Comment 30 Chuck Ebbert 2010-08-15 22:07:13 UTC
Fixed in 2.6.32.19, 2.6.34.4 and 2.6.35.2. Fixes are in the review stage for 2.6.27.52

Comment 36 errata-xmlrpc 2010-08-17 15:52:31 UTC
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2010:0631 https://rhn.redhat.com/errata/RHSA-2010-0631.html

Comment 37 Eugene Teo (Security Response) 2010-08-18 03:17:17 UTC
From the reporter,
Blog: http://theinvisiblethings.blogspot.com/2010/08/skeletons-hidden-in-linux-closet.html
Paper: http://www.invisiblethingslab.com/resources/misc-2010/xorg-large-memory-attacks.pdf

It was reported that this can be exploited with an X server. It is possible to mitigate this by disabling MIT-SHM extension as indicated in section 3.2 of the provided paper. However, this workaround is only applied to this specific scenario.

Comment 41 Chuck Ebbert 2010-08-19 10:57:53 UTC
All the fixes are queued as of 2.6.27.52-rc3, 2.6.32.20-rc1, 2.6.34.5-rc1 and 2.6.35.3-rc1. They're also in the latest F12, 13 and 14 updates submitted for testing.

Comment 47 bugreports2005 2010-08-23 07:47:10 UTC
Is this resolved in the current RHEL5 kernel?

Comment 49 Dave Botsch 2010-08-23 18:06:31 UTC
RHEL4?

Comment 51 Eugene Teo (Security Response) 2010-08-24 00:47:56 UTC
(In reply to comment #47)
> Is this resolved in the current RHEL5 kernel?

(In reply to comment #49)
> RHEL4?

Not yet to both. We are working on updates to address this issue. As you can see in comment #43, there are additional fixes available two days ago, that we will also need to backport for issues found in the official fixes. Thanks.

Comment 54 bugreports2005 2010-08-27 06:23:19 UTC
Is there an ETA on a fix? We are getting quite nervous.

Comment 55 errata-xmlrpc 2010-08-30 13:11:11 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.3.Z - Server Only

Via RHSA-2010:0660 https://rhn.redhat.com/errata/RHSA-2010-0660.html

Comment 56 errata-xmlrpc 2010-08-30 13:43:31 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0661 https://rhn.redhat.com/errata/RHSA-2010-0661.html

Comment 57 advax 2010-08-30 22:07:30 UTC
Reading the original paper
http://cansecwest.com/core05/memory_vulns_delalleau.pdf, it seems that guard pages may be inadequate, especially if programs are compiled without gcc -fstack-check, as applications can control their own stack pointer.

Linus' commit 320b2b8de12698082609ebbc1a17165727f4c893
says it's a minimal patch to add a guard page below a grow-down stack segment.

Am I missing something ? Should X be recompiled with -fstack-check ?

Comment 58 Eugene Teo (Security Response) 2010-08-31 01:38:59 UTC
(In reply to comment #57)
> Reading the original paper
> http://cansecwest.com/core05/memory_vulns_delalleau.pdf, it seems that guard
> pages may be inadequate, especially if programs are compiled without gcc
> -fstack-check, as applications can control their own stack pointer.
> 
> Linus' commit 320b2b8de12698082609ebbc1a17165727f4c893
> says it's a minimal patch to add a guard page below a grow-down stack segment.
> 
> Am I missing something ? Should X be recompiled with -fstack-check ?

For the userspace, please follow-up in bug 615330. Thanks.

Comment 59 errata-xmlrpc 2010-09-02 17:20:22 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.4.Z - Server Only

Via RHSA-2010:0670 https://rhn.redhat.com/errata/RHSA-2010-0670.html

Comment 60 errata-xmlrpc 2010-09-07 13:57:17 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0676 https://rhn.redhat.com/errata/RHSA-2010-0676.html

Comment 61 errata-xmlrpc 2010-09-07 13:59:56 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4.7 Z Stream

Via RHSA-2010:0677 https://rhn.redhat.com/errata/RHSA-2010-0677.html

Comment 62 Matt Andrews 2010-09-16 19:08:18 UTC
kernel 2.6.18-194.11.3.el5 x86_64 described in RHSA-2010:0661 https://rhn.redhat.com/errata/RHSA-2010-0661.html appears to still be vulnerable.

Comment 63 Matt Andrews 2010-09-16 20:10:02 UTC
Sorry, looks like the issue I'm seeing is CVE-2010-3081 not CVE-2010-2240. please ignore my previous comment.

Comment 64 errata-xmlrpc 2010-11-12 09:37:00 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3 Extended Lifecycle Support

Via RHSA-2010:0882 https://rhn.redhat.com/errata/RHSA-2010-0882.html


Note You need to log in before you can comment on or make changes to this bug.