Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 278122 (CVE-2009-1897) - Kernel: tun/tap: Fix crashes if open() /dev/net/tun and then poll() it. (CVE-2009-1897)
Summary: Kernel: tun/tap: Fix crashes if open() /dev/net/tun and then poll() it. (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2009-1897
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://git.kernel.org/?p=linux/kernel...
Whiteboard: [linux >=2.6.30 <2.6.30.2]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-17 07:56 UTC by Robert Buchholz (RETIRED)
Modified: 2013-09-12 04:54 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-07-17 07:56:34 UTC
tun/tap: Fix crashes if open() /dev/net/tun and then poll() it.

Fix NULL pointer dereference in tun_chr_pool() introduced by commit
33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 ("tun: Limit amount of queued
packets per device") and triggered by this code:

int fd;
struct pollfd pfd;
fd = open("/dev/net/tun", O_RDWR);
pfd.fd = fd;
pfd.events = POLLIN | POLLOUT;
poll(&pfd, 1, 0);

Reported-by: Eugene Kapun <abacabadabacaba@gmail.com>
Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
Comment 2 Kerin Millar 2009-07-18 01:48:47 UTC
This is applicable to >=2.6.30, not <2.6.31. Also, the security impact of the bug is somewhat worse than the summary and severity level suggests. Further information, including a video demonstrating spender's exploit (acquiring a root shell in the process):

http://isc.sans.org/diary.html?storyid=6820
http://lists.immunitysec.com/pipermail/dailydave/2009-July/005810.html
http://www.youtube.com/watch?v=UdkpJ13e6Z0
Comment 3 Kerin Millar 2009-07-18 02:17:27 UTC
Citation regarding the bug's scope:

"The commit that introduced the vulnerability (Feb 6th):
http://mirror.celinuxforum.org/gitstat/commit-detail.php?commit=33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554
Though it was committed before the release of the 2.6.29 kernel, it did not (thankfully) make it into the 2.6.29 kernel. It first appeared in 2.6.30."

That's an excerpt from the (interesting) opening comment in the exploit.c file, from the cheddar_bay tarball.
Comment 4 Kerin Millar 2009-07-19 01:09:16 UTC
This bug has galvanised upstream into queueing the following patch for stable, which enables -fno-delete-null-pointer-checks:

http://patchwork.kernel.org/patch/36060/
Comment 5 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-07-20 19:17:01 UTC
CVE-2009-1897 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1897):
  The tun_chr_poll function in drivers/net/tun.c in the tun subsystem
  in the Linux kernel 2.6.30 and 2.6.30.1, when the
  -fno-delete-null-pointer-checks gcc option is omitted, allows local
  users to gain privileges via vectors involving a NULL pointer
  dereference and an mmap of /dev/net/tun, a different vulnerability
  than CVE-2009-1894.