Date: Thu, 2 Dec 2010 15:53:52 -0500 (EST) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: coley <coley@...re.org> Subject: Re: CVE request: kernel: failure to revert address limit override in OOPS error path Please use CVE-2010-4258 for this. Thanks. -- JB ----- "Dan Rosenberg" <dan.j.rosenberg@...il.com> wrote: > Nelson Elhage reported an issue in the Linux kernel. When the kernel > performs an address limit override via set_fs(KERNEL_DS) and > subsequently faults or BUGs before restoring USER_DS, the error path > includes calls to put_user() to a user-controlled address. Calls to > put_user() include access_ok() checks on the provided address to > ensure it lies in userspace. However, because of the address limit > override, these checks will always pass in this case, allowing the > process owner to turn an OOPS into a write to an arbitrary kernel > address, which can easily lead to privilege escalation. > > This problem requires an additional vulnerability to exploit, but as > Nelson points out, it's not too uncommon for such issues to exist. > CVE-2010-3849 (NULL pointer dereference in Econet) is a recent > example > that can be triggered under KERNEL_DS and used to escalate privileges > via this bug. > > Reference: > http://marc.info/?l=linux-kernel&m=129117048916957&w=2 > > -Dan
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ