85385 – sys_epoll_wait() Integer Overflow (CAN-2005-0736)

Bug 85385 - sys_epoll_wait() Integer Overflow (CAN-2005-0736)

Summary: sys_epoll_wait() Integer Overflow (CAN-2005-0736)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Kernel (show other bugs)
Hardware:	All All

Importance:	High major (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/14548/
Whiteboard:	[linux >=2.6 < 2.6.11.2]
Keywords:

Depends on:
Blocks:

Reported:	2005-03-15 11:49 UTC by Jean-François Brunette (RETIRED)
Modified:	2009-05-03 14:45 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jean-François Brunette (RETIRED) gentoo-dev

2005-03-15 11:49:02 UTC

CVE reference:	CAN-2005-0736

Description:
Georgi Guninski has reported a potential vulnerability in the Linux kernel, which may be exploited by malicious people to gain escalated privileges.

The vulnerability is caused due to an integer overflow in the "sys_epoll_wait()" function and can be exploited to cause a buffer overflow overwriting low kernel memory.

Successful exploitation may potentially allow execution of arbitrary code with escalated privileges. However, few applications reportedly use the affected part of the kernel memory space.

The vulnerability has been reported in versions 2.6 through 2.6.11.

Solution:
Update to version 2.6.11.2 or later.
http://kernel.org/

Original Advisory:
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.2

Comment 1 solar (RETIRED) gentoo-dev

2005-03-15 12:32:49 UTC

hardened-dev-sources-2.6.11-r1 is marked stable with .11.2 (base)

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2005-03-16 02:26:15 UTC

From Ubuntu's latest:

Georgi Guninski discovered an integer overflow in the sys_epoll_wait()
function which allowed local users to overwrite the first few kB of
physical memory. However, very few applications actually use this
space (dosemu is a notable exception), but potentially this could lead
to privilege escalation. (CAN-2005-0736)

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-03-16 03:16:37 UTC

Mass-Ccing kern-sec@gentoo.org to make sure Kernel Security guys know about all
of these...

Comment 4 Daniel Drake (RETIRED) gentoo-dev

2005-03-19 06:18:48 UTC

Fixed in gentoo-dev-sources-2.6.11-r4

Comment 5 Joshua Kinard gentoo-dev

2005-04-23 22:26:05 UTC

mips-sources fixed.

Comment 6 Daniel Drake (RETIRED) gentoo-dev

2005-04-29 17:40:12 UTC

Fixed in usermode-sources-2.6.11

Comment 7 Daniel Drake (RETIRED) gentoo-dev

2005-05-10 15:32:12 UTC

Fixed in ck-sources-2.6.11-r7

Comment 8 Tim Yamin (RETIRED) gentoo-dev

2005-07-26 13:33:34 UTC

All fixed, closing bug.