Summary: | Kernel: NULL pointer dereference due to incorrect proto_ops initializations (CVE-2009-2692) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Kernel | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | amne, bernd, gentoo, hardened-kernel+disabled, jappie, kernel, mkl, vserver-devs+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98 | ||
Whiteboard: | [ linux >= 2.4.4 < 2.6 ] [ linux >= 2.6.0 < 2.6.27.30 ] [ linux >= 2.6.28 < 2.6.30.5 ] [ gp < 2.6.30-6 ] | ||
Package list: | Runtime testing required: | --- |
Description
Alex Legler (RETIRED)
2009-08-13 22:14:36 UTC
Just for reference: This allows for local privilege escalation to root in many common setups (either SELinux or pulseaudio available...). Exploit code in the wild. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2692 http://grsecurity.net/~spender/wunderbar_emporium.tgz http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html CVE-2009-2692 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2692): The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation on a PF_PPPOX socket. *** Bug 281903 has been marked as a duplicate of this bug. *** Any updates on this ? (In reply to comment #4) > Any updates on this ? > gentoo-sources 2.6.30-r5 and vanilla-sources 2.6.30.5 have the fix, hardened-sources are believed to be not affected. Upstream has the fix in 2.6.27.30 as well. (In reply to comment #5) > hardened-sources are believed to be not affected. Can someone confirm that the hardened-sources really aren't affected? (In reply to comment #6) > Can someone confirm that the hardened-sources really aren't affected? http://forums.grsecurity.net/viewtopic.php?f=3&t=2177#p9196 fixed in vserver-sources-{2.2.0.7-r1,2.3.0.36.14-r1} Nice. Shouldn't it get stabilized sometime soon now? We need to force use of gcc 4.1.2 for compiling btw. |