Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 85385

Summary: sys_epoll_wait() Integer Overflow (CAN-2005-0736)
Product: Gentoo Security Reporter: Jean-François Brunette (RETIRED) <formula7>
Component: KernelAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: security-kernel
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://secunia.com/advisories/14548/
Whiteboard: [linux >=2.6 < 2.6.11.2]
Package list:
Runtime testing required: ---

Description Jean-François Brunette (RETIRED) gentoo-dev 2005-03-15 11:49:02 UTC 
CVE reference:	CAN-2005-0736

Description:
Georgi Guninski has reported a potential vulnerability in the Linux kernel, which may be exploited by malicious people to gain escalated privileges.

The vulnerability is caused due to an integer overflow in the "sys_epoll_wait()" function and can be exploited to cause a buffer overflow overwriting low kernel memory.

Successful exploitation may potentially allow execution of arbitrary code with escalated privileges. However, few applications reportedly use the affected part of the kernel memory space.

The vulnerability has been reported in versions 2.6 through 2.6.11.

Solution:
Update to version 2.6.11.2 or later.
http://kernel.org/

Original Advisory:
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.2
Comment 1 solar (RETIRED) gentoo-dev 2005-03-15 12:32:49 UTC 
hardened-dev-sources-2.6.11-r1 is marked stable with .11.2 (base)
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-03-16 02:26:15 UTC 
From Ubuntu's latest:

Georgi Guninski discovered an integer overflow in the sys_epoll_wait()
function which allowed local users to overwrite the first few kB of
physical memory. However, very few applications actually use this
space (dosemu is a notable exception), but potentially this could lead
to privilege escalation. (CAN-2005-0736)
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-03-16 03:16:37 UTC 
Mass-Ccing kern-sec@gentoo.org to make sure Kernel Security guys know about all
of these...
Comment 4 Daniel Drake (RETIRED) gentoo-dev 2005-03-19 06:18:48 UTC 
Fixed in gentoo-dev-sources-2.6.11-r4
Comment 5 Joshua Kinard gentoo-dev 2005-04-23 22:26:05 UTC 
mips-sources fixed.
Comment 6 Daniel Drake (RETIRED) gentoo-dev 2005-04-29 17:40:12 UTC 
Fixed in usermode-sources-2.6.11
Comment 7 Daniel Drake (RETIRED) gentoo-dev 2005-05-10 15:32:12 UTC 
Fixed in ck-sources-2.6.11-r7
Comment 8 Tim Yamin (RETIRED) gentoo-dev 2005-07-26 13:33:34 UTC 
All fixed, closing bug.