Bug 72452 - Linux Kernel Local DoS and Memory Content Disclosure Vulnerabilities (CAN-2004-1074)
Bug#: 72452 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: jg@cms.ac
Component: Kernel
URL:  http://secunia.com/advisories/13308/
Summary: Linux Kernel Local DoS and Memory Content Disclosure Vulnerabilities (CAN-2004-1074)
Keywords:  
Status Whiteboard: [linux <2.6.10]
Opened: 2004-11-25 05:37 0000
Description:   Opened: 2004-11-25 05:37 0000 
source: http://secunia.com/advisories/13308/

Affected: 2.4.x + 2.6.x

Description:
Two vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain knowledge of potentially sensitive information.

1) An unspecified error can be exploited via a specially crafted a.out binary to cause a DoS.

2) A race condition within the memory management can be exploited to disclose the content of random physical memory pages.

Original Advisory:
http://www.suse.de/de/security/2004_01_sr.html


Reproducible: Always
Steps to Reproduce:

------- Comment #1 From Luke Macken (RETIRED) 2004-12-01 08:26:50 0000 ------- 
Created an attachment (id=45056) [details]
CAN-2004-1074.patch

Patch by Chris Wright to fix CAN-2004-1074 (issue #1 mentioned in this bug)

------- Comment #2 From Tim Yamin (RETIRED) 2004-12-01 11:15:50 0000 ------- 
Ok, do we have a patch for issue #2 or has SuSE finally released their kernel
updates...?

------- Comment #3 From Tim Yamin (RETIRED) 2004-12-01 11:52:13 0000 ------- 
Created an attachment (id=45071) [details]
2.4 Patch

------- Comment #4 From Luke Macken (RETIRED) 2004-12-01 13:36:53 0000 ------- 
It sounds to me like #2 is just a dupe of bug 72317.

(see also: http://www.suse.de/de/security/2004_42_kernel.html)

------- Comment #5 From Tim Yamin (RETIRED) 2004-12-02 11:53:41 0000 ------- 
All done, the following externally maintained sources need maintainer magic:

grsec-sources - Solar, I think you've fixed this? Confirm please.

gentoo-dev-sources - Adding dsd...
hardened(-dev)-sources - Adding hardened herd...
hppa(-dev)-sources - Adding GMSoft...
mips-sources - Adding Kumba...
openmosix-sources - Adding cluster herd...
pegasos-dev-sources - Adding dholm...
rsbac(-dev)-sources - Adding kang...
sparc-sources - Adding Joker...

------- Comment #6 From Daniel Drake 2004-12-02 12:16:39 0000 ------- 
This 2.6 patch should also be applied after attachment 45056 [details]
http://linux.bkbits.net:8080/linux-2.6/cset@1.2055.1.182?nav=index.html|src/|src/fs|related/fs/exec.c

------- Comment #7 From Daniel Drake 2004-12-02 13:53:37 0000 ------- 
Created an attachment (id=45171) [details]
2.6.7 version of the 2nd vma fix

2.6.7 version of the patch mentioned in comment 6

------- Comment #8 From Christian Birchinger 2004-12-02 18:11:50 0000 ------- 
sparc-sources-2.4.28-r1 released

------- Comment #9 From solar 2004-12-02 21:28:41 0000 ------- 
grsec-sources-2.4.28 has not had any additional security patches added to it
yet.
uptime is only 5 days and not looking forward to patching kernel again.
debating dropping grsec-sources all together.

------- Comment #10 From Joshua Kinard 2004-12-03 01:51:11 0000 ------- 
mips-sources fixed.

------- Comment #11 From Daniel Drake 2004-12-03 03:41:45 0000 ------- 
Created an attachment (id=45193) [details]
2.6.8 version of the 2nd vma fix

2.6.8 version of the patch mentioned in comment 6

------- Comment #12 From solar 2004-12-03 06:57:05 0000 ------- 
Well I went to patch grsec sources this morn but I see that somebody has
totally fsked it up. That would be you dsd. Please fix what you broke.

------- Comment #13 From Adam Mondl (RETIRED) 2004-12-03 07:32:49 0000 ------- 
Fixed in ~arch hardened-sources-2.4.28

------- Comment #14 From Daniel Drake 2004-12-03 11:25:30 0000 ------- 
gentoo-dev-sources done

------- Comment #15 From David Holm (RETIRED) 2004-12-04 05:49:21 0000 ------- 
pegasos-dev-sources fixed

------- Comment #16 From Konstantin Arkhipov 2004-12-04 08:41:13 0000 ------- 
oM-sources: fixed in ~x86.

------- Comment #17 From Adam Mondl (RETIRED) 2004-12-07 21:46:00 0000 ------- 
~x86 hardened-dev-sources fixed

------- Comment #18 From Guy Martin 2004-12-08 09:30:00 0000 ------- 
Done on hppa(-dev)-sources.

------- Comment #19 From Guillaume Destuynder (RETIRED) 2004-12-08 12:19:09 0000 ------- 
|- rsbac-dev-sources: done in r10
|- rsbac-sources:     done in r1

------- Comment #20 From solar 2004-12-13 09:36:42 0000 ------- 
grsec is done.

------- Comment #21 From solar 2004-12-13 09:40:05 0000 ------- 
All kernels appear to be done at this point.. Removing extra CC: people

------- Comment #22 From Tim Yamin (RETIRED) 2004-12-19 07:55:52 0000 ------- 
Created an attachment (id=46349) [details]
2.4.28 VMA Patch

------- Comment #23 From Adam Mondl (RETIRED) 2004-12-24 13:10:37 0000 ------- 
~x86 hardened-sources-2.4.28-r1 updated for VMA patch

------- Comment #24 From Tim Yamin (RETIRED) 2004-12-24 16:25:32 0000 ------- 
Created an attachment (id=46830) [details]
2.4.28 VMA Patch (Requires a.out patch)

------- Comment #25 From Tim Yamin (RETIRED) 2004-12-24 16:26:29 0000 ------- 
Created an attachment (id=46831) [details]
2.4.28 Patch (Use with GRSecurity-enabled kernels; requires a.out patch)

------- Comment #26 From Tim Yamin (RETIRED) 2004-12-24 16:42:33 0000 ------- 
Created an attachment (id=46836) [details]
2.6.9 Patch

------- Comment #27 From Tim Yamin (RETIRED) 2004-12-24 16:45:12 0000 ------- 
Ok, all patched - the following externally maintained sources need to make sure
they also have the VMA patches for both 2.4 and 2.6 applied.

*NOTE* If you already have done this (for both branches if applicable), please
state so on this bug. Thanks!

grsec-sources -- Adding tocharian...
hppa(-dev)-sources -- Adding GMSoft...
mips-sources -- Adding `Kumba...
openmosix-sources -- Adding cluster herd...
pegasos-dev-sources -- Adding dholm...
rsbac(-dev)-sources -- Adding kang...
sparc-sources -- Adding Joker...

------- Comment #28 From Christian Birchinger 2004-12-24 19:03:11 0000 ------- 
Fixed sparc-sources-2.4.28-r3 released.

------- Comment #29 From David Holm (RETIRED) 2004-12-25 05:28:53 0000 ------- 
pegasos-dev-sources should be fixed

------- Comment #30 From Adam Mondl (RETIRED) 2004-12-25 05:33:00 0000 ------- 
grsec-sources-2.4.28.2.0.2-r3 has updated VMA patch

------- Comment #31 From Konstantin Arkhipov 2004-12-27 01:21:09 0000 ------- 
done in oM6-sources

------- Comment #32 From Guy Martin 2004-12-27 06:27:12 0000 ------- 
2.4 is dropped on hppa and I've added 2.6.10-pa1 which doesn't seems affected
by this problem.

------- Comment #33 From Joshua Kinard 2005-01-05 21:21:33 0000 ------- 
mips-sources fixed.

------- Comment #34 From Guillaume Destuynder (RETIRED) 2005-01-13 15:54:09 0000 ------- 
rsbac-sources: all fixed/updated (old -dev also, so)

------- Comment #35 From Tim Yamin (RETIRED) 2005-01-15 14:42:03 0000 ------- 
All kernels fixed, closing bug; notifications are being migrated away from
GLSAs for kernels, more news coming soon so stay tuned :-]

------- Comment #36 From Thierry Carrez (RETIRED) 2005-01-17 07:20:48 0000 ------- 
A little heads-up :

Committed to 2.6 :
http://linux.bkbits.net:8080/linux-2.6/cset@41a6721cce-LoPqkzKXudYby_3TUmg

"This is the issue covered by CAN-2004-1074 where a improperly formed binary can cause an oops.  Since this got fixed separately for 64 bit binaries and a number of distros (like RedHat) will have fixed one but not the other it deserves it's own CVE name (split due to version), CAN-2005-0003."

I don't understand everything :) Please doublecheck we're OK :)

------- Comment #37 From Robert Buchholz 2009-05-03 13:40:05 0000 ------- 
http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commit;h=3b5390826a85bad36012fe78c3052794ae418e54