Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 47881 - sys-kernel/* : multiple vulnerabilities
Summary: sys-kernel/* : multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Highest critical (vote)
Assignee: Gentoo Security
URL: http://www.idefense.com/application/p...
Whiteboard: A1 [kernel+]
Keywords:
: 48050 48466 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-04-14 21:57 UTC by gen2daniel
Modified: 2011-10-30 22:42 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---
plasmaroo: Pending+
plasmaroo: Assigned_To? (plasmaroo)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description gen2daniel 2004-04-14 21:57:46 UTC
The Linux kernel performs no length checking on symbolic links stored on
an ISO9660 file system, allowing a malformed CD to perform an arbitrary
length overflow in kernel memory.

Symbolic links on ISO9660 file systems are supported by the 'Rock Ridge'
extension to the standard format. The vulnerability can be triggered by
performing a directory listing on a maliciously constructed ISO file
system, or attempting to access a file via a malformed symlink on such a
file system. Many distributions allow local users to mount CDs, which
makes them potentially vulnerable to local elevation attacks.

The relevant functions are as follows:

fs/isofs/rock.c: rock_ridge_symlink_readpage()
fs/isofs/rock.c: get_symlink_chunk()

There is no checking that the total length of the symlink being read is
less than the memory space that has been allocated for storing it. By
supplying many CE (continuation) records, each with another SL (symlink)
chunk, it is possible for an attacker to build an arbitrary length data
structure in kernel memory space.

A proof of concept exploit has been written that allows a local user to
gain root level access. It is also possible to cause execution of code
with kernel privileges.

III. ANALYSIS

In order to exploit this vulnerability, an attacker must be able to
mount a maliciously constructed file system. This may be accomplished by
the following:

a. Having an account on the machine to be compromised and inserting a
malformed disk. Some distributions allow local users to mount removable
media without needing to be root and with some configurations. This
happens automatically when a disk is inserted. The proof of concept
exploit works from floppy disk as well as CD-ROM.

If the attacker can reboot the machine from his or her own media or
supply command line options to the kernel during the initialization
process after rebooting, exploiting this vulnerability may not be
necessary to gain further access. In this situation, the attacker will
not be able to directly access any encrypted file systems.

b. If encrypted virtual file systems are implemented, and the attacker
gains access to an account able to mount one, then an attacker may be
able to mount his or her own maliciously formed file system via the
encryption interface. This would allow them access to any already
mounted file systems.

c. Being root already. If the attacker has already gained root, but the
kernel has some form of patch preventing root being able to perform
certain functions, he or she may still be able to mount a file system.
As the vulnerability occurs in kernel space, it may be possible for them
to neutralize the restrictions.

IV. DETECTION

The issue affects the 2.4.x, 2.5.x and 2.6.x kernel. Other kernel
implementations may also be vulnerable.

V. WORKAROUNDS

Disable user mounting of removable media devices.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 Tim Yamin (RETIRED) gentoo-dev 2004-04-14 22:52:18 UTC
Thanks; fixed kernels will be added here as they are done.
Comment 2 Tim Yamin (RETIRED) gentoo-dev 2004-04-14 23:19:41 UTC
Vanilla-sources-2.4.26 is in...
Comment 3 Tim Yamin (RETIRED) gentoo-dev 2004-04-14 23:45:27 UTC
Vanilla-sources-2.4.26 is in...
Comment 4 Tim Yamin (RETIRED) gentoo-dev 2004-04-14 23:45:52 UTC
SELinux-sources-2.4.25 is in...
Comment 5 solar (RETIRED) gentoo-dev 2004-04-15 00:02:48 UTC
As long as no bug reports show up for grsec at grsec site and spender 
moves his patches out of http://grsecurity.net/~spender/ and to the main
site. I'll be putting it in as 2.4.26 (2.x final) and removing all older
versions. This should conclude the grsec-2.4.x series all together.
Well atleast till the next sec bug is discovered.
Comment 6 Tim Yamin (RETIRED) gentoo-dev 2004-04-15 00:34:30 UTC
Win4Lin-Sources 2.4.25-r1 and 2.6.5-r1 which are patched are now in...
Comment 7 Tim Yamin (RETIRED) gentoo-dev 2004-04-15 00:47:10 UTC
AA-Sources-2.4.23-r2 patched...
Comment 8 Tim Yamin (RETIRED) gentoo-dev 2004-04-15 00:57:30 UTC
Alpha-sources 2.4.21-r5 added and now in...
Comment 9 Tim Yamin (RETIRED) gentoo-dev 2004-04-15 01:10:31 UTC
Ck-sources 2.4.25-r1 and 2.6.4-r1 are patched.
Comment 10 Tim Yamin (RETIRED) gentoo-dev 2004-04-15 01:17:43 UTC
Compaq-sources-2.4.9.32.7-r3 added...
Comment 11 Tim Yamin (RETIRED) gentoo-dev 2004-04-15 01:32:34 UTC
Development sources 2.6.6_rc1 added.
Comment 12 Tim Yamin (RETIRED) gentoo-dev 2004-04-15 02:11:14 UTC
IA64-Sources 2.4.24-r2 added.
Comment 13 Tim Yamin (RETIRED) gentoo-dev 2004-04-15 03:32:59 UTC
Planet-CCRMA-sources-2.4.21-r6 added in...
Comment 14 Tim Yamin (RETIRED) gentoo-dev 2004-04-15 03:33:45 UTC
PAC-Sources-2.4.23-r4 added in...
Comment 15 Tim Yamin (RETIRED) gentoo-dev 2004-04-15 03:56:50 UTC
PPC-Sources 2.4.24-r3 added in...
Comment 16 Tim Yamin (RETIRED) gentoo-dev 2004-04-15 05:43:15 UTC
Added in PPC-Sources-Benh-2.4.22-r6...
Added in PPC-Sources-Crypto-2.4.20-r4...
Added in PPC-Sources-Dev-2.4.24-r3...
Added in PPC64-Sources-2.6.4-r1...

Joker's added in SPARC-Sources 2.4.25-r1...
Comment 17 Tim Yamin (RETIRED) gentoo-dev 2004-04-15 05:59:35 UTC
Added VServer-sources-2.4.25.1.3.8-r1...
Comment 18 Tim Yamin (RETIRED) gentoo-dev 2004-04-15 08:29:05 UTC
WOLK-Sources 4.11-r2 and 4.9-r5 added...
Comment 19 Tim Yamin (RETIRED) gentoo-dev 2004-04-15 11:54:07 UTC
GS-sources-2.4.25_pre7-r3 added...
Tseng added Hardened-Dev-Sources 2.6.4-r4...
UCLinux-Sources 2.4.24_p0-r1 and 2.6.5_p0-r1 added...
Usermode-Sources 2.6.3-r2 and 2.4.24-r2 added...
XFS-Sources 2.4.24-r4 added...
Comment 20 Joshua Kinard gentoo-dev 2004-04-16 19:16:10 UTC
mips-sources and ck-sources had the wrong patch for 2.6 added (it was the mremap patch).  ck-sources is apparently fixed, I just fixed mips-sources.
Comment 21 Tim Yamin (RETIRED) gentoo-dev 2004-04-17 08:35:24 UTC
*** Bug 48050 has been marked as a duplicate of this bug. ***
Comment 22 Derk W te Bokkel 2004-04-21 15:50:19 UTC
FYI .. Patch causes problems for CD players both gnome and Kde based.. app will crash .. gnome CD player at least craches without killing the playing of the CD
Comment 23 Thierry Carrez (RETIRED) gentoo-dev 2004-04-28 02:33:07 UTC
For the sake of completeness, here is a vuln list for the kernel :

* CAN-2004-0109 : Privilege escalation using ISO9660 file systems
* CAN-2004-0133 : Information leak in the XFS code
* CAN-2004-0177 : Information leak in the ext3 code
* CAN-2004-0181 : Information leak in the JFS code
* CAN-2004-0178 : Denial of service condition in the Sound Blaster driver
* CAN-2004-0228 : Information leak in cpufreq userspace ioctl
* CAN-2004-0229 : Vulnerability in fb_copy_cmap (framebuffer driver) [2.6]
* CAN-2004-0394 : Buffer overflow in 2.4 kernel's panic() function [2.4]
* CAN-2004-0424 : Integer overflow in code handling the MCAST_MSFILTER option

There is also a "Memory leak in the do_fork() routine" which seems to have no CVE number.

Given the broad range of vulns here, it may be a good idea to issue a partial GLSA with only available 2.4.26 / 2.6.4 versions (which I believe include all fixes), and take care of the patch backporting & testing next ?

-K
Comment 24 Kurt Lieber (RETIRED) gentoo-dev 2004-04-28 03:51:22 UTC
what kernels *can* be patched?  gentoo-dev-sources 2.6.4 and vanilla sources 2.4.26, presumably.  What else?  grsec-sources 2.4.26?  gs-sources?  

Comment 25 Tim Yamin (RETIRED) gentoo-dev 2004-04-28 08:10:21 UTC
Anything can be patched, except the MCAST_MSFILTER, since I haven't had anybody who I know that uses it; thus I can't test the patch. If you find somebody that can be done as well.
Comment 26 Thierry Carrez (RETIRED) gentoo-dev 2004-05-04 07:22:48 UTC
If we can't test, then I think we should leave the MCAST_FILTER patch out and issue a GLSA for the others. We really need a GLSA out for the kernel asap.

-K
Comment 27 Thierry Carrez (RETIRED) gentoo-dev 2004-05-04 07:33:31 UTC
*** Bug 48466 has been marked as a duplicate of this bug. ***
Comment 28 Tim Yamin (RETIRED) gentoo-dev 2004-06-04 11:29:22 UTC
The remaining sources that are vulnerable are listed below; I've fixed everything else. Sources marked with "*" only need the CAN-2004-0394 patch applied; this can be found in aa-sources/files. Sources without an asterisk need patching for more things; please see comment #23.

gentoo-dev-sources - johnm is absent; this needs bumping to 2.6.6 or patching.
hardened-dev-sources - This also needs bumping to 2.6.6 or patching.
openmosix-sources - Adding cluster@gentoo.org to CC.

hardened-sources * - Adding hardened@gentoo.org to CC.
hppa-sources * - Assigned to GMSoft; says it should be done in a day or two...
pegasos-sources * - Adding dholm@gentoo.org to CC.
selinux-sources * - Adding pebenito@gentoo.org to CC.
Comment 29 Tim Yamin (RETIRED) gentoo-dev 2004-06-04 11:36:01 UTC
Alpha Team: You need to stable alpha-sources-2.4.21-r7 which solves the security issues mentioned in this bug.

IA64 Team: You need to stable alpha-sources-2.4.24-r4 which solves the security issues mentioned in this bug.

Thanks!
Comment 30 David Holm (RETIRED) gentoo-dev 2004-06-04 14:17:00 UTC
pegasos-sources-2.4.26 fixed
Comment 31 Bryan Østergaard (RETIRED) gentoo-dev 2004-06-04 17:31:02 UTC
Marked alpha-sources-2.4.21-r7 stable.
Comment 32 Guy Martin (RETIRED) gentoo-dev 2004-06-06 17:18:16 UTC
hppa-sources-2.4.26_p4 include the fix
Comment 33 Tim Yamin (RETIRED) gentoo-dev 2004-06-14 09:27:28 UTC
Cluster's fixed theirs; removing from CC.
Comment 34 Chris PeBenito (RETIRED) gentoo-dev 2004-06-15 14:00:04 UTC
selinux-sources fixed
Comment 35 Brandon Hale (RETIRED) gentoo-dev 2004-06-15 20:52:36 UTC
hardened-dev-sources patchset updated to include relevant fixes.
Comment 36 Tim Yamin (RETIRED) gentoo-dev 2004-07-03 16:06:01 UTC
GLSA 200407-02; http://article.gmane.org/gmane.linux.gentoo.announce/382; closing as FIXED.