http://linux.bkbits.net:8080/linux-2.6/cset@41bdc399fjcFowgsJH5ZMZ8eP-YcwA?nav=index.html -------------------------------------- Michael Kerrisk has observed that at present any process can SHM_LOCK any shm segment of size within process RLIMIT_MEMLOCK, despite having no permissions on the segment: surprising, though not obviously evil. And any process can SHM_UNLOCK any shm segment, despite no permissions on it: that is surely wrong. -------------------------------------- Looks like a 2.6.x vulnerability... local DoS by massive SHM_UNLOCK ?
2.4 seems to have the needed check in place...
Looks like this appeared only after 2.6.8.1 too...
Created attachment 46584 [details, diff] 2.6.9 Patch Please use this; the patch in the specified URL will fail to compile unless the rlimit code from 2.6.10_rcX happens to be backported...
Seems that genpatches-2.6-9.12-base contains the wrong patch (the one from bitkeeper), the patch attached by Tim Yamin in this bug works.
Hanno, not sure why you closed this.. Fixing the genpatches patch now.
Ok, all patched - the following externally maintained sources still need patching: gentoo-dev-sources -- Adding dsd... mips-sources -- Adding `Kumba... rsbac-dev-sources -- Adding kang...
dsd: Looks like 2.6.9-r12 has the fix, thanks; it needs backporting to the SPARC branch though...
eradicator does the sparc branch
...which is already up-to-date and fixed.
mips-sources fixed.
rsbac-dev-sources fixed
Mass-Ccing kern-sec@gentoo.org to make sure Kernel Security guys know about all of these...
All fixed, closing bug.