Bug 782642 (CVE-2012-0056) - CVE-2012-0056 kernel: proc: /proc/<pid>/mem mem_write insufficient permission checking
Summary: CVE-2012-0056 kernel: proc: /proc/<pid>/mem mem_write insufficient permission...
Alias: CVE-2012-0056
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 782643 782645 782646 782647 782649 782650 782681
Blocks: 782636
TreeView+ depends on / blocked
Reported: 2012-01-18 02:34 UTC by Eugene Teo (Security Response)
Modified: 2023-05-11 18:27 UTC (History)
23 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2017-09-15 17:08:33 UTC

Attachments (Terms of Use)
A reproducer that tests if we have commit 198214a7. (671 bytes, text/plain)
2012-01-20 07:16 UTC, Eugene Teo (Security Response)
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0052 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2012-01-24 01:18:10 UTC
Red Hat Product Errata RHSA-2012:0061 0 normal SHIPPED_LIVE Important: kernel-rt security update 2012-01-25 02:36:53 UTC

Description Eugene Teo (Security Response) 2012-01-18 02:34:28 UTC
From Linus' patch:
"Jüri Aedla reported that the /proc/<pid>/mem handling really isn't very robust, and it also doesn't match the permission checking of any of the other related files.

This changes it to do the permission checks at open time, and instead of tracking the process, it tracks the VM at the time of the open.  That simplifies the code a lot, but does mean that if you hold the file descriptor open over an execve(), you'll continue to read from the _old_ VM."

A local, unprivileged user could use this flaw to escalate their privileges.

Upstream commit:


Red Hat would like to thank Jüri Aedla for reporting this issue.

Comment 7 Eugene Teo (Security Response) 2012-01-18 03:06:52 UTC

This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5 as it did not backport the upstream commit 198214a7ee. This has been addressed in Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2012-0052.html and  https://rhn.redhat.com/errata/RHSA-2012-0061.html. For more information, please read https://access.redhat.com/kb/docs/DOC-69129.

Comment 11 Eugene Teo (Security Response) 2012-01-18 07:09:45 UTC
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 782681]

Comment 14 Eugene Teo (Security Response) 2012-01-18 13:18:47 UTC
Ensure that ASLR is enabled, see /proc/sys/kernel/randomize_va_space.

Comment 17 Eugene Teo (Security Response) 2012-01-20 07:16:14 UTC
Created attachment 556461 [details]
A reproducer that tests if we have commit 198214a7.

Comment 18 Petr Matousek 2012-01-20 09:36:47 UTC
To mitigate the issue:

1) On the host, save the following in a file with the ".stp" extension:

probe kernel.function("mem_write@fs/proc/base.c").call {
  $count = 0

2) Install the "systemtap" package and any required dependencies. Refer to
the "2. Using SystemTap" chapter in the Red Hat Enterprise Linux 6
"SystemTap Beginners Guide" document, available from docs.redhat.com, for
information on installing the required -debuginfo packages.

3) Run the "stap -g [filename-from-step-1].stp" command as root.

If the host is rebooted, the changes will be lost and the script must be
run again.

Comment 19 Murray McAllister 2012-01-20 14:44:28 UTC
Knowledgebase article for this issue: https://access.redhat.com/kb/docs/DOC-69129

Comment 20 Eugene Teo (Security Response) 2012-01-23 01:07:26 UTC
Linux Local Privilege Escalation via SUID /proc/pid/mem Write

Comment 21 Eugene Teo (Security Response) 2012-01-23 14:44:00 UTC
This was shared on oss-security list on Jan 18, http://seclists.org/oss-sec/2012/q1/178. All Linux distro representatives are (expected to be) subscribed to this list.

Comment 22 Eugene Teo (Security Response) 2012-01-23 14:45:45 UTC
Kees wrote a blog post about this, http://www.outflux.net/blog/archives/2012/01/22/fixing-vulnerabilities-with-systemtap/.

Comment 24 Eugene Teo (Security Response) 2012-01-23 14:51:03 UTC
Spender modified the reproducer to make it work on PaX, http://grsecurity.net/~spender/correct_proc_mem_reproducer.c

Comment 27 errata-xmlrpc 2012-01-23 20:20:38 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0052 https://rhn.redhat.com/errata/RHSA-2012-0052.html

Comment 32 Petr Matousek 2012-01-24 09:30:49 UTC
Original report and exploit from Jüri Aedla:


Comment 35 errata-xmlrpc 2012-01-24 21:37:25 UTC
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:0061 https://rhn.redhat.com/errata/RHSA-2012-0061.html

Comment 40 Eugene Teo (Security Response) 2012-01-26 01:58:57 UTC
LWN: A /proc/PID/mem vulnerability

Note You need to log in before you can comment on or make changes to this bug.