It's public now : =================================================================== Synopsis: Linux kernel uselib() privilege elevation Product: Linux kernel Version: 2.4 up to and including 2.4.29-rc2, 2.6 up to and including 2.6.10 Vendor: http://www.kernel.org/ URL: http://isec.pl/vulnerabilities/isec-0021-uselib.txt CVE: CAN-2004-1235 Author: Paul Starzetz <ihaquer@isec.pl> Date: Jan 07, 2005 Issue: ====== Locally exploitable flaws have been found in the Linux binary format loaders' uselib() functions that allow local users to gain root privileges. Details: ======== The Linux kernel provides a binary format loader layer to load (execute) programs of different binary formats like ELF or a.out and more. The kernel also provides a function named sys_uselib() to load a corresponding library. This function is dispatched to the current process's binary format handler and is basically a simplified mmap() coupled with some header parsing code. An analyze of the uselib function load_elf_library() from binfmt_elf.c revealed a flaw in the handling of the library's brk segment (VMA). That segment is created with the current->mm->mmap_sem semaphore NOT held while modifying the memory layout of the calling process. This can be used to disturb the memory management and gain elevated privileges. Also the binfmt_aout binary format loader code is affected in the same way. =======================================================================
Created attachment 47851 [details, diff] 2.6.10-mm1-brk-locked.patch Patch from Marcelo Tossati. He said it was not very tested.
2.4 patch at http://linux.bkbits.net:8080/linux-2.4/patch@1.1551
*** Bug 76292 has been marked as a duplicate of this bug. ***
Created attachment 47865 [details, diff] 2.6 Patch
The linked 2.4 patch doesn't apply here. Does it depend on another patch which i missed? No other patch in 2.4.28 here seems to touch the failing binfmt_elf.c vma patch is only for binfmt_elf32.c and the binfmt_a.out patch is for binfmt_aout.c so binfmt_elf.c seems to be vanilla here and the patch still fails. I also did a generic grep "binfmt_elf.c" on all patches ... none touches that file.
Created attachment 47891 [details, diff] 2.4 Patch
Just to note, there is also a forum topic about this: http://forums.gentoo.org/viewtopic.php?t=276357 quotes: * 2.6.10-gentoo-dev-sources-r3 has the fix for this vulnerability. * The grsec team has posted a set of cummulative patches that should fix this as far as I can tell. http://www.grsecurity.net/download.php What about the hardened{,-dev}-sources?
Fixed in sparc-sources-2.4.28-r4
Created attachment 47953 [details, diff] 2.4 Patch (Use if kernel does not have PaX)
Created attachment 47955 [details, diff] 2.4 Patch (Use if kernel does have PaX)
grsec-sources patched with the attachment #47955 [details, diff]. -* masked while testing and getting gradm pkg together.
Created attachment 47970 [details, diff] <= 2.4.27 Patch (No PaX)
Created attachment 47971 [details, diff] <= 2.4.27 Patch (PaX)
Security bump; development-sources 2.6.10-r1, arches please mark stable.
Created attachment 48007 [details, diff] 2.6.7 Patch
2.6.10-r1 stable on amd64, thanks.
gentoo-dev-sources done
All done, following externally maintained sources still need fixing: hardened-(dev-)sources -- Adding hardened herd... hppa-sources -- Adding GMSoft... mips-sources -- Adding Kumba... openmosix-sources -- Adding cluster herd... pegasos-dev-sources -- Adding dholm... rsbac-(dev-)sources -- Adding kang... sparc-sources -- Adding Joker (Update with attachment #47953 [details, diff])...
pegasos-dev-sources has already been fixed
patch updated on sparc
Done in hppa-sources-2.6.10_p10.
done for openMo6-sources.
~x86 hardened-dev-sources-2.6.10 patched
Development-sources now done. Vulnerable ebuilds purged.
rsbac-sources 2.6 tree patched
~x86 hardened-sources-2.4.28-r2 fixed
gentoo-dev-sources is done
mips-sources patched
rsbac-sources 2.4 is also fixed in ~x86
Mass-Ccing kern-sec@gentoo.org to make sure Kernel Security guys know about all of these...
All fixed, closing bug.
