From taviso: In the Linux kernel, each socket has an associated struct of operations called proto_ops which contain pointers to functions implementing various features, such as accept, bind, shutdown, and so on. If an operation on a particular socket is unimplemented, they are expected to point the associated function pointer to predefined stubs, for example if the "accept" operation is undefined it would point to sock_no_accept(). However, we have found that this is not always the case and some of these pointers are left uninitialized. This is not always a security issue, as the kernel validates the pointers at the call site, such as this example from sock_splice_read: [stripped] But we have found an example where this is not the case; the sock_sendpage() routine does not validate the function pointer is valid before dereferencing it, and therefore relies on the correct initialization of the proto_ops structure. We have identified several examples where the initialization is incomplete: - The SOCKOPS_WRAP macro defined in include/linux/net.h, which appears correct at first glance, was actually affected. This includes PF_APPLETALK, PF_IPX, PF_IRDA, PF_X25 and PF_AX25 families. - Initializations were missing in other protocols, including PF_BLUETOOTH, PF_IUCV, PF_INET6 (with IPPROTO_SCTP), PF_PPPOX and PF_ISDN. -- All Linux 2.4/2.6 versions since May 2001 are believed to be affected: - Linux 2.4, from 2.4.4 up to and including 2.4.37.4 - Linux 2.6, from 2.6.0 up to and including 2.6.30.4
Just for reference: This allows for local privilege escalation to root in many common setups (either SELinux or pulseaudio available...). Exploit code in the wild. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2692 http://grsecurity.net/~spender/wunderbar_emporium.tgz http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html
CVE-2009-2692 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2692): The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation on a PF_PPPOX socket.
*** Bug 281903 has been marked as a duplicate of this bug. ***
Any updates on this ?
(In reply to comment #4) > Any updates on this ? > gentoo-sources 2.6.30-r5 and vanilla-sources 2.6.30.5 have the fix, hardened-sources are believed to be not affected. Upstream has the fix in 2.6.27.30 as well.
(In reply to comment #5) > hardened-sources are believed to be not affected. Can someone confirm that the hardened-sources really aren't affected?
(In reply to comment #6) > Can someone confirm that the hardened-sources really aren't affected? http://forums.grsecurity.net/viewtopic.php?f=3&t=2177#p9196
fixed in vserver-sources-{2.2.0.7-r1,2.3.0.36.14-r1}
Nice. Shouldn't it get stabilized sometime soon now? We need to force use of gcc 4.1.2 for compiling btw.
