Bug 77666 - Kernel i386 SMP page fault handler privilege escalation (CAN-2005-0001)
Bug#: 77666 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: All Status: RESOLVED Severity: major Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: koon@gentoo.org
Component: Kernel
URL:  http://lists.netsys.com/pipermail/full-disclosure/2005-January/030826.html
Summary: Kernel i386 SMP page fault handler privilege escalation (CAN-2005-0001)
Keywords:  
Status Whiteboard: [linux <2.6.11]
Opened: 2005-01-12 05:17 0000
Description:   Opened: 2005-01-12 05:17 0000 
Summary :

Locally  exploitable flaw has been found in the Linux page fault handler
code  that  allows  users  to  gain  root  privileges  if   running   on
multiprocessor machine.

See URL for details.

------- Comment #1 From Thierry Carrez (RETIRED) 2005-01-12 05:18:20 0000 ------- 
*** Bug 76818 has been marked as a duplicate of this bug. ***

------- Comment #2 From tklauser@nuerscht.ch 2005-01-12 12:15:18 0000 ------- 
It's fixed in Linus' BitKeeper tree:
http://linus.bkbits.net:8080/linux-2.5/cset@1.2360.3.5?nav=index.html|ChangeSet@-1d

------- Comment #3 From tklauser@nuerscht.ch 2005-01-12 12:17:23 0000 ------- 
Created an attachment (id=48335) [details]
Patch against 2.6.10 (possibly others)

Taken from BitKeeper

------- Comment #4 From tklauser@nuerscht.ch 2005-01-12 13:27:21 0000 ------- 
Marcelo fixed it in 2.4.29-rc2:
http://article.gmane.org/gmane.linux.kernel/269997

------- Comment #5 From tklauser@nuerscht.ch 2005-01-13 05:00:02 0000 ------- 
The patch for 2.4 is also available separately.

Description: http://linux.bkbits.net:8080/linux-2.4/cset@1.1571?nav=index.html|ChangeSet@-2d

Patch:  http://linux.bkbits.net:8080/linux-2.4/gnupatch@41e506aaVw2bDZGKjd-_ojNQi9cf6A

------- Comment #6 From tklauser@nuerscht.ch 2005-01-13 05:01:20 0000 ------- 
Created an attachment (id=48389) [details]
Patch against 2.4.29 (possibly others)

Taken from Bitkeeper

------- Comment #7 From tklauser@nuerscht.ch 2005-01-13 05:18:29 0000 ------- 
(From update of attachment 48335 [details])
The patch does not apply on vanilla 2.6.10 kernels. Seems to work only with
2.6.11-rc?

------- Comment #8 From Daniel Drake 2005-01-13 14:09:35 0000 ------- 
This will be fixed in a new gentoo-dev-sources release that I'm just testing.
Here's how I've done it:

Had to remove the patch for the RLIMIT memlock dos issue described in bug 77094
Replaced it with Linus's version,
http://dev.gentoo.org/~dsd/gentoo-dev-sources/release-10.05/dist/1130_rlimit-memlock-dos.patch

Then added our stack fix:
http://dev.gentoo.org/~dsd/gentoo-dev-sources/release-10.05/dist/1140_stack-resize.patch

Both required a rediff.

As already mentioned, I haven't tested this yet. Will get back to you in a bit
whether this works ok or not.

------- Comment #9 From Daniel Drake 2005-01-13 16:23:30 0000 ------- 
Having some problems booting up... It might not be this patch causing it,
possibly one of the others I have added. Debugging now.

------- Comment #10 From Adam Mondl (RETIRED) 2005-01-14 01:11:31 0000 ------- 
Fixed in ~x86 hardened-dev-sources-2.6.10-r2

------- Comment #11 From Daniel Drake 2005-01-14 13:31:36 0000 ------- 
The 1130 patch I referenced breaks bootup for myself... random bootup progs get
killed with sig11. Investigating...
Adam, did you fix this another way?

------- Comment #12 From Daniel Drake 2005-01-15 06:10:38 0000 ------- 
This patch:
http://linux.bkbits.net:8080/linux-2.6/cset@1.2273.1.9
alongside 1130 and 1140, solves it for me.

------- Comment #13 From Tim Yamin (RETIRED) 2005-01-15 14:00:00 0000 ------- 
Created an attachment (id=48581) [details]
2.6 #77094 Update (Prerequisite)

------- Comment #14 From Tim Yamin (RETIRED) 2005-01-15 14:01:25 0000 ------- 
Created an attachment (id=48582) [details]
2.6 Compound Patch

------- Comment #15 From Tim Yamin (RETIRED) 2005-01-15 14:11:22 0000 ------- 
Sidenote: For the #77094 patch (attachment #48581 [details]) remove the
netfilter/ip_conntrack_proto_tcp.c hunk if you are patching for kernels that
are < 2.6.10...

------- Comment #16 From Daniel Drake 2005-01-17 07:28:28 0000 ------- 
gentoo-dev-sources is done

------- Comment #17 From Adam Mondl (RETIRED) 2005-01-17 16:34:23 0000 ------- 
~x86 hardened-sources-2.4.28-r3 patched

------- Comment #18 From solar 2005-01-18 09:39:46 0000 ------- 
CAN-2005-0001 fixed using attachment #48389 [details] in >= grsec-sources-2.4.28.2.1.0-r1

------- Comment #19 From Thierry Carrez (RETIRED) 2005-03-16 03:16:33 0000 ------- 
Mass-Ccing kern-sec@gentoo.org to make sure Kernel Security guys know about all
of these...

------- Comment #20 From Tim Yamin (RETIRED) 2005-03-29 05:49:45 0000 ------- 
All fixed, closing bug.

------- Comment #21 From Robert Buchholz 2009-05-03 14:07:39 0000 ------- 
commit fa6e49a2497cb4298d81c0d384c1ade8bcf1f0a3
Author: Linus Torvalds <torvalds@ppc970.osdl.org>

    Handle two threads both trying to expand their stack simultaneously.

commit 7d153fe70c171e9ea8dab7c0461d28651a44385f
Author: Linus Torvalds <torvalds@ppc970.osdl.org>

    Clean up stack growth checks and move them into a common function.

commit 092070386eaa3afc8e2375287bec98369736fc48
Author: Chris Wright <chrisw@osdl.org>

    [PATCH] acct_stack_growth nitpicks