Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 59378

Summary: sys-kernel/*: file offset pointer handling vulnerability
Product: Gentoo Security Reporter: Carsten Lohrke (RETIRED) <carlo>
Component: KernelAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gregkh, hanno, hp-cluster
Priority: High Flags: plasmaroo: Assigned_To? (plasmaroo)
Version: unspecified   
Hardware: All   
OS: All   
URL: http://isec.pl/vulnerabilities/isec-0016-procleaks.txt
Whiteboard: A4 [kernel]
Package list:
Runtime testing required: ---

Description Carsten Lohrke (RETIRED) gentoo-dev 2004-08-04 04:34:37 UTC
There  are two different versions of the file handling API inside recent
Linux kernels: the old 32 bit and the new (LFS)  64  bit  API.  We  have
identified  numerous places, where invalid conversions from 64 bit sized
file offsets to 32 bit ones as well  as  insecure  access  to  the  file
offset member variable take place.

We  have  found that most of the /proc entries (like /proc/version) leak
about one page of unitialized kernel memory  and  can  be  exploited  to
obtain sensitive data.

Tested  and known to be vulnerable kernel versions are all <= 2.4.26 and
<= 2.6.7. All users are encouraged to patch all  vulnerable  systems  as
soon  as appropriate vendor patches are released. There is no hotfix for
this vulnerability.

Exploit included. That's fun! :(
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-08-04 08:15:08 UTC
CAN-2004-0415
Comment 2 solar (RETIRED) gentoo-dev 2004-08-04 11:43:40 UTC
Patched in grsec-sources-2.4.26.2.0-r7.ebuild with 
http://dev.gentoo.org/~plasmaroo/patches/kernel/misc/security/linux-2.4.26-CAN-2004-0415.patch

Note to other kernel maintainers. 
This patch is 80k and thus to large for ${FILESDIR} so please use the SRC_URI=
Comment 3 Tim Yamin (RETIRED) gentoo-dev 2004-08-04 12:26:32 UTC
Patches for 2.4.{19, 2[0123456]} as well as 2.6.7 are also there at http://dev.gentoo.org/~plasmaroo/patches/kernel/misc/security/...
Comment 4 Andrea Luzzardi 2004-08-04 13:01:44 UTC
hardened-sources patched (2.4.26-r4).
Comment 5 Guillaume Destuynder (RETIRED) gentoo-dev 2004-08-04 18:50:55 UTC
rsbac-(dev-)sources patched
Comment 6 Tim Yamin (RETIRED) gentoo-dev 2004-08-05 07:17:08 UTC
All done, everything should now be patched. The following sources remain, and I'm adding their maintainers to the CC list:

gentoo-dev-sources: Adding gregkh...
hardened-dev-sources: hardened@gentoo.org is already on the list...
hppa-(dev-)sources: Adding GMSoft...
mips-sources: Adding `Kumba...
openmosix-sources: Adding cluster herd...
{ppc, pegasos(dev-)}-sources: Adding dholm...
sparc-sources: Adding Joker...
selinux-sources: Ading pebenito...
Comment 7 Konstantin Arkhipov (RETIRED) gentoo-dev 2004-08-05 08:13:41 UTC
openmosix-sources patched
Comment 8 Joshua Kinard gentoo-dev 2004-08-05 22:04:37 UTC
mips-sources fixed.
Comment 9 Greg Kroah-Hartman (RETIRED) gentoo-dev 2004-08-06 17:11:51 UTC
gentoo-dev-sources fixed in release 2.6.7-r12
Comment 10 Brandon Hale (RETIRED) gentoo-dev 2004-08-06 18:45:02 UTC
Fixed in hardened-dev-sources.
Comment 11 David Holm (RETIRED) gentoo-dev 2004-08-08 04:13:03 UTC
ppc-sources, pegasos-sources, and pegasos-dev-sources have been fixed.
Comment 12 solar (RETIRED) gentoo-dev 2004-08-08 08:53:08 UTC
Removing hardened@ but leaving  pebenito@ on the list for selinux-sources
Comment 13 Guy Martin (RETIRED) gentoo-dev 2004-08-09 16:33:22 UTC
Fixed on hppa.
Comment 14 Gustavo Zacarias (RETIRED) gentoo-dev 2004-08-12 05:48:26 UTC
sparc-sources-2.4.27 is out and stable courtesy of Joker, fixed.
Joker: i'm just removing sparc@ from this, feel free to remove yourself.
Comment 15 Christian Birchinger (RETIRED) gentoo-dev 2004-08-12 09:25:01 UTC
sparc-sources-2.4.27 released
Comment 16 Chris PeBenito (RETIRED) gentoo-dev 2004-08-13 20:11:30 UTC
selinux-src fixed
Comment 17 Tim Yamin (RETIRED) gentoo-dev 2004-08-26 04:49:59 UTC
GLSA 200408-24.