From $url: Vulnerability Overview On October 13th, VSR identified a vulnerability in the RDS protocol, as implemented in the Linux kernel. Because kernel functions responsible for copying data between kernel and user space failed to verify that a user-provided address actually resided in the user segment, a local attacker could issue specially crafted socket function calls to write abritrary values into kernel memory. By leveraging this capability, it is possible for unprivileged users to escalate privileges to root. Vulnerability Details On Linux, recvmsg() style socket calls are performed using iovec structs, which allow a user to specify a base address and size for a buffer used to receive socket data. Each packet family is responsible for defining functions that copy socket data, which is received by the kernel, back to user space to allow user programs to process and handle received network data. When performing this copying of data to user space, the RDS protocol failed to verify that the base address of a user-provided iovec struct pointed to a valid userspace address before using the __copy_to_user_inatomic() function to copy the data. As a result, by providing a kernel address as an iovec base and issuing a recvmsg() style socket call, a local user could write arbitrary data into kernel memory. This can be leveraged to escalate privileges to root. More detail is available at $url, including a link to this upstream patch. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=799c10559d60f159ab2232203f222f18fa3c4a5f
Just FYI, courtesy of Michael Pagano <mpagano@gentoo.org>. <-- snip --> This is an automated email announcing the release of genpatches-2.6.35-12 CHANGES SINCE 2.6.35-11 ----------------------- Revision 1809: Patch for CVE-2010-3904 Priviledge escalation (mpagano) Added: 1500_CVE-2010-3904-RDS-Priv-Escal-fix.patch Revision 1810: 2.6.35-12 release (mpagano) PATCHES ------- When the website updates, the complete patch list and split-out patches will be available here: http://dev.gentoo.org/~mpagano/genpatches/patches-2.6.35-12.htm http://dev.gentoo.org/~mpagano/genpatches/tarballs/genpatches-2.6.35-12.base.tar.bz2 http://dev.gentoo.org/~mpagano/genpatches/tarballs/genpatches-2.6.35-12.extras.tar.bz2 ABOUT GENPATCHES ---------------- genpatches is the patchset applied to some kernels available in Portage. For more information, see the genpatches homepage: http://dev.gentoo.org/~mpagano/genpatches For a simple example of how to use genpatches in your kernel ebuild, look at a recent gentoo-sources-2.6.* ebuild.
This fix is now released in the following genpatches: genpatches-2.6.35-12 genpatches-2.6.34-14 genpatches-2.6.32-25 The following newly released gentoo-sources kernels contain the patch: gentoo-sources-2.6.35-r11 gentoo-sources-2.6.34-r12 gentoo-sources-2.6.32-r20 The following stable request bugs have been filed for these kernels: bug #341833 for gentoo-sources-2.6.32-r20 bug #341831 for gentoo-sources-2.6.34-r12 No stable request filed for 2.6.35-r11, as we wait for the prerequisite 30 days for the new baselayout to be requested to be stabled before we can do so.
I added the archs to the wrong bug. My bad.
The fix is in the following hardened sources patchsets: hardened-patches-2.6.32-25 hardened-patches-2.6.35-5 for the following ebuilds: hardened-sources-2.6.32-r22 hardened-sources-2.6.35-r4 Note that the fix is included the grsecurity patches: 4420_grsecurity-2.2.0-2.6.32.24-201010191911.patch 4420_grsecurity-2.2.0-2.6.35.7-201010191911.patch and so the hardened sources patchsets do not include 1500_CVE-2010-3904-RDS-Priv-Escal-fix.patch from genpatches (to avoid patch collision on the same issue).
Fast track stabilization request for hardened-sources-2.6.32-r22 submitted in bug #341915. We're waiting on hardened-sources-2.6.35-r4 for the same reason as in Comment #2 --- we need baselayout 2 stabilization.
