Summary : Locally exploitable flaw has been found in the Linux page fault handler code that allows users to gain root privileges if running on multiprocessor machine. See URL for details.
*** Bug 76818 has been marked as a duplicate of this bug. ***
It's fixed in Linus' BitKeeper tree: http://linus.bkbits.net:8080/linux-2.5/cset@1.2360.3.5?nav=index.html|ChangeSet@-1d
Created attachment 48335 [details, diff] Patch against 2.6.10 (possibly others) Taken from BitKeeper
Marcelo fixed it in 2.4.29-rc2: http://article.gmane.org/gmane.linux.kernel/269997
The patch for 2.4 is also available separately. Description: http://linux.bkbits.net:8080/linux-2.4/cset@1.1571?nav=index.html|ChangeSet@-2d Patch: http://linux.bkbits.net:8080/linux-2.4/gnupatch@41e506aaVw2bDZGKjd-_ojNQi9cf6A
Created attachment 48389 [details, diff] Patch against 2.4.29 (possibly others) Taken from Bitkeeper
Comment on attachment 48335 [details, diff] Patch against 2.6.10 (possibly others) The patch does not apply on vanilla 2.6.10 kernels. Seems to work only with 2.6.11-rc?
This will be fixed in a new gentoo-dev-sources release that I'm just testing. Here's how I've done it: Had to remove the patch for the RLIMIT memlock dos issue described in bug 77094 Replaced it with Linus's version, http://dev.gentoo.org/~dsd/gentoo-dev-sources/release-10.05/dist/1130_rlimit-memlock-dos.patch Then added our stack fix: http://dev.gentoo.org/~dsd/gentoo-dev-sources/release-10.05/dist/1140_stack-resize.patch Both required a rediff. As already mentioned, I haven't tested this yet. Will get back to you in a bit whether this works ok or not.
Having some problems booting up... It might not be this patch causing it, possibly one of the others I have added. Debugging now.
Fixed in ~x86 hardened-dev-sources-2.6.10-r2
The 1130 patch I referenced breaks bootup for myself... random bootup progs get killed with sig11. Investigating... Adam, did you fix this another way?
This patch: http://linux.bkbits.net:8080/linux-2.6/cset@1.2273.1.9 alongside 1130 and 1140, solves it for me.
Created attachment 48581 [details, diff] 2.6 #77094 Update (Prerequisite)
Created attachment 48582 [details, diff] 2.6 Compound Patch
Sidenote: For the #77094 patch (attachment #48581 [details, diff]) remove the netfilter/ip_conntrack_proto_tcp.c hunk if you are patching for kernels that are < 2.6.10...
gentoo-dev-sources is done
~x86 hardened-sources-2.4.28-r3 patched
CAN-2005-0001 fixed using attachment #48389 [details, diff] in >= grsec-sources-2.4.28.2.1.0-r1
Mass-Ccing kern-sec@gentoo.org to make sure Kernel Security guys know about all of these...
All fixed, closing bug.
commit fa6e49a2497cb4298d81c0d384c1ade8bcf1f0a3 Author: Linus Torvalds <torvalds@ppc970.osdl.org> Handle two threads both trying to expand their stack simultaneously. commit 7d153fe70c171e9ea8dab7c0461d28651a44385f Author: Linus Torvalds <torvalds@ppc970.osdl.org> Clean up stack growth checks and move them into a common function. commit 092070386eaa3afc8e2375287bec98369736fc48 Author: Chris Wright <chrisw@osdl.org> [PATCH] acct_stack_growth nitpicks
