Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 2 Dec 2010 15:53:52 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: CVE request: kernel: failure to revert address
 limit override in OOPS error path

Please use CVE-2010-4258 for this.

Thanks.

-- 
    JB


----- "Dan Rosenberg" <dan.j.rosenberg@...il.com> wrote:

> Nelson Elhage reported an issue in the Linux kernel.  When the kernel
> performs an address limit override via set_fs(KERNEL_DS) and
> subsequently faults or BUGs before restoring USER_DS, the error path
> includes calls to put_user() to a user-controlled address.  Calls to
> put_user() include access_ok() checks on the provided address to
> ensure it lies in userspace.  However, because of the address limit
> override, these checks will always pass in this case, allowing the
> process owner to turn an OOPS into a write to an arbitrary kernel
> address, which can easily lead to privilege escalation.
> 
> This problem requires an additional vulnerability to exploit, but as
> Nelson points out, it's not too uncommon for such issues to exist.
> CVE-2010-3849 (NULL pointer dereference in Econet) is a recent
> example
> that can be triggered under KERNEL_DS and used to escalate privileges
> via this bug.
> 
> Reference:
> http://marc.info/?l=linux-kernel&m=129117048916957&w=2
> 
> -Dan

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ