Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 104361 - Kernel: 64bit privilege escalation (CAN-2005-2490)
Summary: Kernel: 64bit privilege escalation (CAN-2005-2490)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: High major
Assignee: Gentoo Security
URL: http://www.kernel.org/pub/linux/kerne...
Whiteboard: [linux <2.6.13.1]
Keywords:
Depends on:
Blocks:
 
Reported: 2005-08-31 03:04 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2009-08-22 12:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
can-2005-2490-2.4.patch (can-2005-2490-2.4.patch,14.18 KB, patch)
2005-08-31 03:05 UTC, Sune Kloppenborg Jeppesen (RETIRED) 		no flags Details | Diff
can-2005-2490-2.6.patch (can-2005-2490-2.6.patch,4.11 KB, patch)
2005-08-31 03:06 UTC, Sune Kloppenborg Jeppesen (RETIRED) 		no flags Details | Diff
can-2005-2490-fixed-2.4.patch (can-2005-2490-fixed-2.4.patch,6.52 KB, patch)
2005-09-05 01:44 UTC, Sune Kloppenborg Jeppesen (RETIRED) 		no flags Details | Diff
can-2005-2490-fixed-2.6.patch (can-2005-2490-fixed-2.6.patch,4.79 KB, patch)
2005-09-05 01:45 UTC, Sune Kloppenborg Jeppesen (RETIRED) 		no flags Details | Diff
can-2005-2490-e-2.4.patch (can-2005-2490-e-2.4.patch,12.23 KB, patch)
2005-09-05 10:15 UTC, Sune Kloppenborg Jeppesen (RETIRED) 		no flags Details | Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-31 03:04:38 UTC 
CAN-2005-2490: When we copy 32bit ->msg_control contents to kernel, we    
walk the same userland data twice without sanity checks on the second    
pass.  Moreover, if original looks small enough, we end up copying to    
on-stack array. Moreover, if original looks small enough, we end up    
copying to on-stack array.  With a blocking kmalloc() in between and    
copying from userland all along.  Take two threads, have one do sendmsg()    
and another - to tweak memory under it.  So therefore could lead to    
privilege escalation.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-31 03:05:06 UTC 
Created attachment 67332 [details, diff]
can-2005-2490-2.4.patch
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-31 03:06:03 UTC 
Created attachment 67333 [details, diff]
can-2005-2490-2.6.patch
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-05 01:44:21 UTC 
Created attachment 67666 [details, diff]
can-2005-2490-fixed-2.4.patch

RH reports: portmap broke on ppc64.  This turned out to be an issue on 64bit
arches running 32bit-compat-mode exes doing sendmsg() syscalls with unaligned
CMSG data areas).
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-05 01:45:08 UTC 
Created attachment 67667 [details, diff]
can-2005-2490-fixed-2.6.patch
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-05 10:15:13 UTC 
Created attachment 67688 [details, diff]
can-2005-2490-e-2.4.patch

Updated again.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-09-14 02:23:36 UTC 
Fixed in 2.6.13.1
Comment 7 Tim Yamin (RETIRED) gentoo-dev 2005-12-24 05:06:50 UTC 
All fixed, closing bug.