On October 13th, VSR identified a vulnerability in the RDS protocol, as implemented in the Linux kernel. Because kernel functions responsible for copying data between kernel and user space failed to verify that a user-provided address actually resided in the user segment, a local attacker could issue specially crafted socket function calls to write abritrary values into kernel memory. By leveraging this capability, it is possible for unprivileged users to escalate privileges to root.
On Linux, recvmsg() style socket calls are performed using iovec structs, which allow a user to specify a base address and size for a buffer used to receive socket data. Each packet family is responsible for defining functions that copy socket data, which is received by the kernel, back to user space to allow user programs to process and handle received network data.
When performing this copying of data to user space, the RDS protocol failed to verify that the base address of a user-provided iovec struct pointed to a valid userspace address before using the __copy_to_user_inatomic() function to copy the data. As a result, by providing a kernel address as an iovec base and issuing a recvmsg() style socket call, a local user could write arbitrary data into kernel memory. This can be leveraged to escalate privileges to root.
More detail is available at $url, including a link to this upstream patch.
Just FYI, courtesy of Michael Pagano <email@example.com>.
<-- snip -->
This is an automated email announcing the release of genpatches-2.6.35-12
CHANGES SINCE 2.6.35-11
Patch for CVE-2010-3904 Priviledge escalation (mpagano)
2.6.35-12 release (mpagano)
When the website updates, the complete patch list and split-out patches will be
genpatches is the patchset applied to some kernels available in Portage.
For more information, see the genpatches homepage:
For a simple example of how to use genpatches in your kernel ebuild, look at a
recent gentoo-sources-2.6.* ebuild.
This fix is now released in the following genpatches:
The following newly released gentoo-sources kernels contain the patch:
The following stable request bugs have been filed for these kernels:
bug #341833 for gentoo-sources-2.6.32-r20
bug #341831 for gentoo-sources-2.6.34-r12
No stable request filed for 2.6.35-r11, as we wait for the prerequisite 30 days for the new baselayout to be requested to be stabled before we can do so.
I added the archs to the wrong bug. My bad.
The fix is in the following hardened sources patchsets:
for the following ebuilds:
Note that the fix is included the grsecurity patches:
and so the hardened sources patchsets do not include
from genpatches (to avoid patch collision on the same issue).
Fast track stabilization request for hardened-sources-2.6.32-r22 submitted in bug #341915.
We're waiting on hardened-sources-2.6.35-r4 for the same reason as in Comment #2 --- we need baselayout 2 stabilization.