270330 – (CVE-2009-1527) Kernel: ptrace_attach: fix the usage of ->cred_exec_mutex (CVE-2009-1527)

Bug 270330 (CVE-2009-1527) - Kernel: ptrace_attach: fix the usage of ->cred_exec_mutex (CVE-2009-1527)

Summary: Kernel: ptrace_attach: fix the usage of ->cred_exec_mutex (CVE-2009-1527)

Status:	RESOLVED FIXED

Alias:	CVE-2009-1527

Product:	Gentoo Security
Classification:	Unclassified
Component:	Kernel (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://git.kernel.org/?p=linux/kernel...
Whiteboard:	[linux >=2.6.29 <2.6.29.3] [gp >=2.6....
Keywords:

Depends on:
Blocks:

Reported:	2009-05-18 17:39 UTC by Robert Buchholz (RETIRED)
Modified:	2013-09-15 20:06 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2009-05-18 17:39:36 UTC

CVE-2009-1527 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1527):
  Race condition in the ptrace_attach function in kernel/ptrace.c in
  the Linux kernel before 2.6.30-rc4 allows local users to gain
  privileges via a PTRACE_ATTACH ptrace call during an exec system call
  that is launching a setuid application, related to locking an
  incorrect cred_exec_mutex object.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2009-05-18 17:45:07 UTC

note this allows for local root compromise:
http://milw0rm.org/exploits/8673

Comment 2 kfm 2009-07-24 04:06:37 UTC

This does not affect <2.6.29 (the code is different). I tried the exploit against 2.6.28.10 and it did not prevail. Eugene Teo, of Red Hat, said:

"This vulnerability was introduced in commit d84f4f99 ("CRED: Inaugurate
COW credentials"), and was fixed in commit cad81bc2 ("ptrace:
ptrace_attach: fix the usage of ->cred_exec_mutex"). It affects kernel 2.6.29."

Source: http://marc.info/?l=oss-security&m=124141149127926&w=2