[PATCH 0/3] CVE-2010-4258
Tim Gardner
tim.gardner at canonical.com
Wed Mar 2 14:33:34 UTC 2011
On 02/28/2011 11:40 AM, Brad Figg wrote:
> Following this email will be 3 patches associated with this CVE. The patches
> apply cleanly to Dapper, Hardy and Karmic. Lucid, Maverick and Natty have
> already been patched for this issue via upstream stable commits (or regular
> upstream commits).
>
> If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not
> otherwise reset before do_exit(). do_exit may later (via mm_release in
> fork.c) do a put_user to a user-controlled address, potentially allowing
> a user to leverage an oops into a controlled write into kernel memory.
>
> This is only triggerable in the presence of another bug, but this
> potentially turns a lot of DoS bugs into privilege escalations, so it's
> worth fixing. I have proof-of-concept code which uses this bug along
> with CVE-2010-3849 to write a zero to an arbitrary kernel address, so
> I've tested that this is not theoretical.
>
> A more logical place to put this fix might be when we know an oops has
> occurred, before we call do_exit(), but that would involve changing
> every architecture, in multiple places.
>
> Let's just stick it in do_exit instead.
>
> Nelson Elhage (1):
> do_exit(): make sure that we run with get_fs() == USER_DS
>
> kernel/exit.c | 9 +++++++++
> 1 files changed, 9 insertions(+), 0 deletions(-)
>
>
applied after adding the CVE boilerplate to the commit message.
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list