Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 277714 (CVE-2009-1895) - Linux < personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)
Summary: Linux < personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)
Alias: CVE-2009-1895
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: [linux >=2.6.23 <] [linux >=...
Keywords: InVCS
: 278467 (view as bug list)
Depends on:
Reported: 2009-07-13 21:05 UTC by Robert Buchholz (RETIRED)
Modified: 2013-09-05 03:37 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Patch (patch,514 bytes, patch)
2009-07-17 15:44 UTC, Brayan Arraes (YacK)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-07-13 21:05:04 UTC
commit f9fabcb58a6d26d6efde842d1703ac7cfa9427b6
Author: Julien Tinnes <>
Date:   Fri Jun 26 20:27:40 2009 +0200

    personality: fix PER_CLEAR_ON_SETID

    We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
    include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.


    We believe it is important to add MMAP_PAGE_ZERO, because by using this
    personality it is possible to have the first page mapped inside a
    process running as setuid root.  This could be used in those scenarios:

     - Exploiting a NULL pointer dereference issue in a setuid root binary
     - Bypassing the mmap_min_addr restrictions of the Linux kernel: by
       running a setuid binary that would drop privileges before giving us
       control back (for instance by loading a user-supplied library), we
       could get the first page mapped in a process we control.  By further
       using mremap and mprotect on this mapping, we can then completely
       bypass the mmap_min_addr restrictions.

    Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
    since on x86 32bits it will in practice disable most of the address
    space layout randomization (only the stack will remain randomized).

    Signed-off-by: Julien Tinnes <>
    Signed-off-by: Tavis Ormandy <>
    Acked-by: Christoph Hellwig <>
    Acked-by: Kees Cook <>
    Acked-by: Eugene Teo <>
    [ Shortened lines and fixed whitespace as per Christophs' suggestion ]
    Signed-off-by: Linus Torvalds <>

See also:
Comment 1 Mike Pagano gentoo-dev 2009-07-16 00:56:04 UTC
InSVN for the next release of gentoo-sources (2.6.30-r3)
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-16 16:24:41 UTC
CVE-2009-1895 (
  The personality subsystem in the Linux kernel before 2.6.31-rc3 has a
  PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT
  and MMAP_PAGE_ZERO flags when executing a setuid or setgid program,
  which makes it easier for local users to leverage the details of
  memory usage to (1) conduct NULL pointer dereference attacks, (2)
  bypass the mmap_min_addr protection mechanism, or (3) defeat address
  space layout randomization (ASLR).

Comment 3 Brayan Arraes (YacK) 2009-07-17 15:44:48 UTC
Created attachment 198328 [details, diff]
Comment 4 kfm 2009-07-20 13:45:49 UTC
*** Bug 278467 has been marked as a duplicate of this bug. ***