Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 341801 (CVE-2010-3904) - Kernel: Linux RDS Protocol Local Privilege Escalation (CVE-2010-3904)
Summary: Kernel: Linux RDS Protocol Local Privilege Escalation (CVE-2010-3904)
Alias: CVE-2010-3904
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
Whiteboard: [linux < 2.6.36]
Depends on:
Reported: 2010-10-19 19:49 UTC by Tim Sammut (RETIRED)
Modified: 2013-09-15 20:02 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-10-19 19:49:27 UTC
From $url:

Vulnerability Overview

On October 13th, VSR identified a vulnerability in the RDS protocol, as implemented in the Linux kernel. Because kernel functions responsible for copying data between kernel and user space failed to verify that a user-provided address actually resided in the user segment, a local attacker could issue specially crafted socket function calls to write abritrary values into kernel memory. By leveraging this capability, it is possible for unprivileged users to escalate privileges to root.

Vulnerability Details

On Linux, recvmsg() style socket calls are performed using iovec structs, which allow a user to specify a base address and size for a buffer used to receive socket data. Each packet family is responsible for defining functions that copy socket data, which is received by the kernel, back to user space to allow user programs to process and handle received network data.

When performing this copying of data to user space, the RDS protocol failed to verify that the base address of a user-provided iovec struct pointed to a valid userspace address before using the __copy_to_user_inatomic() function to copy the data. As a result, by providing a kernel address as an iovec base and issuing a recvmsg() style socket call, a local user could write arbitrary data into kernel memory. This can be leveraged to escalate privileges to root. 

More detail is available at $url, including a link to this upstream patch.;a=commitdiff;h=799c10559d60f159ab2232203f222f18fa3c4a5f
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2010-10-19 22:34:04 UTC
Just FYI, courtesy of Michael Pagano <>.

<-- snip -->

This is an automated email announcing the release of genpatches-2.6.35-12


Revision 1809: 
Patch for CVE-2010-3904 Priviledge escalation (mpagano)
Added: 1500_CVE-2010-3904-RDS-Priv-Escal-fix.patch

Revision 1810: 
2.6.35-12 release (mpagano)


When the website updates, the complete patch list and split-out patches will be
available here:


genpatches is the patchset applied to some kernels available in Portage.

For more information, see the genpatches homepage:

For a simple example of how to use genpatches in your kernel ebuild, look at a
recent gentoo-sources-2.6.* ebuild.

Comment 2 Mike Pagano gentoo-dev 2010-10-19 23:41:05 UTC
This fix is now released in the following genpatches:


The following newly released gentoo-sources kernels contain the patch:


The following stable request bugs have been filed for these kernels:
bug #341833 for gentoo-sources-2.6.32-r20
bug #341831 for gentoo-sources-2.6.34-r12

No stable request filed for 2.6.35-r11, as we wait for the prerequisite 30 days for the new baselayout to be requested to be stabled  before we can do so.

Comment 3 Mike Pagano gentoo-dev 2010-10-20 00:20:00 UTC
I added the archs to the wrong bug. My bad.
Comment 4 Anthony Basile gentoo-dev 2010-10-20 16:46:58 UTC
The fix is in the following hardened sources patchsets:


for the following ebuilds:


Note that the fix is included the grsecurity patches:


and so the hardened sources patchsets do not include


from genpatches (to avoid patch collision on the same issue).
Comment 5 Anthony Basile gentoo-dev 2010-10-20 16:57:02 UTC
Fast track stabilization request for hardened-sources-2.6.32-r22 submitted in bug #341915.

We're waiting on hardened-sources-2.6.35-r4 for the same reason as in Comment #2 --- we need baselayout 2 stabilization.