[PATCH 0/3] CVE-2010-4258

Andy Whitcroft apw at canonical.com
Tue Mar 1 09:42:07 UTC 2011


On Mon, Feb 28, 2011 at 10:40:52AM -0800, Brad Figg wrote:
> Following this email will be 3 patches associated with this CVE. The patches
> apply cleanly to Dapper, Hardy and Karmic. Lucid, Maverick and Natty have
> already been patched for this issue via upstream stable commits (or regular
> upstream commits).
> 
>     If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not
>     otherwise reset before do_exit().  do_exit may later (via mm_release in
>     fork.c) do a put_user to a user-controlled address, potentially allowing
>     a user to leverage an oops into a controlled write into kernel memory.
>     
>     This is only triggerable in the presence of another bug, but this
>     potentially turns a lot of DoS bugs into privilege escalations, so it's
>     worth fixing.  I have proof-of-concept code which uses this bug along
>     with CVE-2010-3849 to write a zero to an arbitrary kernel address, so
>     I've tested that this is not theoretical.
>     
>     A more logical place to put this fix might be when we know an oops has
>     occurred, before we call do_exit(), but that would involve changing
>     every architecture, in multiple places.
>     
>     Let's just stick it in do_exit instead.
> 
> Nelson Elhage (1):
>   do_exit(): make sure that we run with get_fs() == USER_DS
> 
>  kernel/exit.c |    9 +++++++++
>  1 files changed, 9 insertions(+), 0 deletions(-)

Those all look fine to me.

Acked-by: Andy Whitcroft <apw at canonical.com>

-apw




More information about the kernel-team mailing list