Bug 47881

Summary:	sys-kernel/* : multiple vulnerabilities
Product:	Gentoo Security	Reporter:	gen2daniel <gen2daniel>
Component:	Kernel	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	critical	CC:	antiher0, hardened, m.debruijne, steel300, steve
Priority:	Highest	Flags:	plasmaroo: Pending+ plasmaroo: Assigned_To? (plasmaroo)
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.idefense.com/application/poi/display?id=101&type=vulnerabilities
Whiteboard:	A1 [kernel+]
Package list:		Runtime testing required:	---

Description gen2daniel 2004-04-14 21:57:46 UTC

The Linux kernel performs no length checking on symbolic links stored on
an ISO9660 file system, allowing a malformed CD to perform an arbitrary
length overflow in kernel memory.

Symbolic links on ISO9660 file systems are supported by the 'Rock Ridge'
extension to the standard format. The vulnerability can be triggered by
performing a directory listing on a maliciously constructed ISO file
system, or attempting to access a file via a malformed symlink on such a
file system. Many distributions allow local users to mount CDs, which
makes them potentially vulnerable to local elevation attacks.

The relevant functions are as follows:

fs/isofs/rock.c: rock_ridge_symlink_readpage()
fs/isofs/rock.c: get_symlink_chunk()

There is no checking that the total length of the symlink being read is
less than the memory space that has been allocated for storing it. By
supplying many CE (continuation) records, each with another SL (symlink)
chunk, it is possible for an attacker to build an arbitrary length data
structure in kernel memory space.

A proof of concept exploit has been written that allows a local user to
gain root level access. It is also possible to cause execution of code
with kernel privileges.

III. ANALYSIS

In order to exploit this vulnerability, an attacker must be able to
mount a maliciously constructed file system. This may be accomplished by
the following:

a. Having an account on the machine to be compromised and inserting a
malformed disk. Some distributions allow local users to mount removable
media without needing to be root and with some configurations. This
happens automatically when a disk is inserted. The proof of concept
exploit works from floppy disk as well as CD-ROM.

If the attacker can reboot the machine from his or her own media or
supply command line options to the kernel during the initialization
process after rebooting, exploiting this vulnerability may not be
necessary to gain further access. In this situation, the attacker will
not be able to directly access any encrypted file systems.

b. If encrypted virtual file systems are implemented, and the attacker
gains access to an account able to mount one, then an attacker may be
able to mount his or her own maliciously formed file system via the
encryption interface. This would allow them access to any already
mounted file systems.

c. Being root already. If the attacker has already gained root, but the
kernel has some form of patch preventing root being able to perform
certain functions, he or she may still be able to mount a file system.
As the vulnerability occurs in kernel space, it may be possible for them
to neutralize the restrictions.

IV. DETECTION

The issue affects the 2.4.x, 2.5.x and 2.6.x kernel. Other kernel
implementations may also be vulnerable.

V. WORKAROUNDS

Disable user mounting of removable media devices.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Comment 1 Tim Yamin (RETIRED) gentoo-dev

2004-04-14 22:52:18 UTC

Thanks; fixed kernels will be added here as they are done.

Comment 2 Tim Yamin (RETIRED) gentoo-dev

2004-04-14 23:19:41 UTC

Vanilla-sources-2.4.26 is in...

Comment 3 Tim Yamin (RETIRED) gentoo-dev

2004-04-14 23:45:27 UTC

Vanilla-sources-2.4.26 is in...

Comment 4 Tim Yamin (RETIRED) gentoo-dev

2004-04-14 23:45:52 UTC

SELinux-sources-2.4.25 is in...

Comment 5 solar (RETIRED) gentoo-dev

2004-04-15 00:02:48 UTC

As long as no bug reports show up for grsec at grsec site and spender 
moves his patches out of http://grsecurity.net/~spender/ and to the main
site. I'll be putting it in as 2.4.26 (2.x final) and removing all older
versions. This should conclude the grsec-2.4.x series all together.
Well atleast till the next sec bug is discovered.

Comment 6 Tim Yamin (RETIRED) gentoo-dev

2004-04-15 00:34:30 UTC

Win4Lin-Sources 2.4.25-r1 and 2.6.5-r1 which are patched are now in...

Comment 7 Tim Yamin (RETIRED) gentoo-dev

2004-04-15 00:47:10 UTC

AA-Sources-2.4.23-r2 patched...

Comment 8 Tim Yamin (RETIRED) gentoo-dev

2004-04-15 00:57:30 UTC

Alpha-sources 2.4.21-r5 added and now in...

Comment 9 Tim Yamin (RETIRED) gentoo-dev

2004-04-15 01:10:31 UTC

Ck-sources 2.4.25-r1 and 2.6.4-r1 are patched.

Comment 10 Tim Yamin (RETIRED) gentoo-dev

2004-04-15 01:17:43 UTC

Compaq-sources-2.4.9.32.7-r3 added...

Comment 11 Tim Yamin (RETIRED) gentoo-dev

2004-04-15 01:32:34 UTC

Development sources 2.6.6_rc1 added.

Comment 12 Tim Yamin (RETIRED) gentoo-dev

2004-04-15 02:11:14 UTC

IA64-Sources 2.4.24-r2 added.

Comment 13 Tim Yamin (RETIRED) gentoo-dev

2004-04-15 03:32:59 UTC

Planet-CCRMA-sources-2.4.21-r6 added in...

Comment 14 Tim Yamin (RETIRED) gentoo-dev

2004-04-15 03:33:45 UTC

PAC-Sources-2.4.23-r4 added in...

Comment 15 Tim Yamin (RETIRED) gentoo-dev

2004-04-15 03:56:50 UTC

PPC-Sources 2.4.24-r3 added in...

Comment 16 Tim Yamin (RETIRED) gentoo-dev

2004-04-15 05:43:15 UTC

Added in PPC-Sources-Benh-2.4.22-r6...
Added in PPC-Sources-Crypto-2.4.20-r4...
Added in PPC-Sources-Dev-2.4.24-r3...
Added in PPC64-Sources-2.6.4-r1...

Joker's added in SPARC-Sources 2.4.25-r1...

Comment 17 Tim Yamin (RETIRED) gentoo-dev

2004-04-15 05:59:35 UTC

Added VServer-sources-2.4.25.1.3.8-r1...

Comment 18 Tim Yamin (RETIRED) gentoo-dev

2004-04-15 08:29:05 UTC

WOLK-Sources 4.11-r2 and 4.9-r5 added...

Comment 19 Tim Yamin (RETIRED) gentoo-dev

2004-04-15 11:54:07 UTC

GS-sources-2.4.25_pre7-r3 added...
Tseng added Hardened-Dev-Sources 2.6.4-r4...
UCLinux-Sources 2.4.24_p0-r1 and 2.6.5_p0-r1 added...
Usermode-Sources 2.6.3-r2 and 2.4.24-r2 added...
XFS-Sources 2.4.24-r4 added...

Comment 20 Joshua Kinard gentoo-dev

2004-04-16 19:16:10 UTC

mips-sources and ck-sources had the wrong patch for 2.6 added (it was the mremap patch).  ck-sources is apparently fixed, I just fixed mips-sources.

Comment 21 Tim Yamin (RETIRED) gentoo-dev

2004-04-17 08:35:24 UTC

*** Bug 48050 has been marked as a duplicate of this bug. ***

Comment 22 Derk W te Bokkel 2004-04-21 15:50:19 UTC

FYI .. Patch causes problems for CD players both gnome and Kde based.. app will crash .. gnome CD player at least craches without killing the playing of the CD

Comment 23 Thierry Carrez (RETIRED) gentoo-dev

2004-04-28 02:33:07 UTC

For the sake of completeness, here is a vuln list for the kernel :

* CAN-2004-0109 : Privilege escalation using ISO9660 file systems
* CAN-2004-0133 : Information leak in the XFS code
* CAN-2004-0177 : Information leak in the ext3 code
* CAN-2004-0181 : Information leak in the JFS code
* CAN-2004-0178 : Denial of service condition in the Sound Blaster driver
* CAN-2004-0228 : Information leak in cpufreq userspace ioctl
* CAN-2004-0229 : Vulnerability in fb_copy_cmap (framebuffer driver) [2.6]
* CAN-2004-0394 : Buffer overflow in 2.4 kernel's panic() function [2.4]
* CAN-2004-0424 : Integer overflow in code handling the MCAST_MSFILTER option

There is also a "Memory leak in the do_fork() routine" which seems to have no CVE number.

Given the broad range of vulns here, it may be a good idea to issue a partial GLSA with only available 2.4.26 / 2.6.4 versions (which I believe include all fixes), and take care of the patch backporting & testing next ?

-K

Comment 24 Kurt Lieber (RETIRED) gentoo-dev

2004-04-28 03:51:22 UTC

what kernels *can* be patched?  gentoo-dev-sources 2.6.4 and vanilla sources 2.4.26, presumably.  What else?  grsec-sources 2.4.26?  gs-sources?

Comment 25 Tim Yamin (RETIRED) gentoo-dev

2004-04-28 08:10:21 UTC

Anything can be patched, except the MCAST_MSFILTER, since I haven't had anybody who I know that uses it; thus I can't test the patch. If you find somebody that can be done as well.

Comment 26 Thierry Carrez (RETIRED) gentoo-dev

2004-05-04 07:22:48 UTC

If we can't test, then I think we should leave the MCAST_FILTER patch out and issue a GLSA for the others. We really need a GLSA out for the kernel asap.

-K

Comment 27 Thierry Carrez (RETIRED) gentoo-dev

2004-05-04 07:33:31 UTC

*** Bug 48466 has been marked as a duplicate of this bug. ***

Comment 28 Tim Yamin (RETIRED) gentoo-dev

2004-06-04 11:29:22 UTC

The remaining sources that are vulnerable are listed below; I've fixed everything else. Sources marked with "*" only need the CAN-2004-0394 patch applied; this can be found in aa-sources/files. Sources without an asterisk need patching for more things; please see comment #23.

gentoo-dev-sources - johnm is absent; this needs bumping to 2.6.6 or patching.
hardened-dev-sources - This also needs bumping to 2.6.6 or patching.
openmosix-sources - Adding cluster@gentoo.org to CC.

hardened-sources * - Adding hardened@gentoo.org to CC.
hppa-sources * - Assigned to GMSoft; says it should be done in a day or two...
pegasos-sources * - Adding dholm@gentoo.org to CC.
selinux-sources * - Adding pebenito@gentoo.org to CC.

Comment 29 Tim Yamin (RETIRED) gentoo-dev

2004-06-04 11:36:01 UTC

Alpha Team: You need to stable alpha-sources-2.4.21-r7 which solves the security issues mentioned in this bug.

IA64 Team: You need to stable alpha-sources-2.4.24-r4 which solves the security issues mentioned in this bug.

Thanks!

Comment 30 David Holm (RETIRED) gentoo-dev

2004-06-04 14:17:00 UTC

pegasos-sources-2.4.26 fixed

Comment 31 Bryan Østergaard (RETIRED) gentoo-dev

2004-06-04 17:31:02 UTC

Marked alpha-sources-2.4.21-r7 stable.

Comment 32 Guy Martin (RETIRED) gentoo-dev

2004-06-06 17:18:16 UTC

hppa-sources-2.4.26_p4 include the fix

Comment 33 Tim Yamin (RETIRED) gentoo-dev

2004-06-14 09:27:28 UTC

Cluster's fixed theirs; removing from CC.

Comment 34 Chris PeBenito (RETIRED) gentoo-dev

2004-06-15 14:00:04 UTC

selinux-sources fixed

Comment 35 Brandon Hale (RETIRED) gentoo-dev

2004-06-15 20:52:36 UTC

hardened-dev-sources patchset updated to include relevant fixes.

Comment 36 Tim Yamin (RETIRED) gentoo-dev

2004-07-03 16:06:01 UTC

GLSA 200407-02; http://article.gmane.org/gmane.linux.gentoo.announce/382; closing as FIXED.