Slashdot Mirror

← Back to Stories (view on slashdot.org)

Root Privileges Through Linux Kernel Bug

Posted by timothy on from the who-needs-windows? dept.

Lars T. writes "The H has a story about a Linux kernel bug that allows root level access. 'According to a report written by Rafal Wojtczuk (PDF), a conceptual problem in the memory management area of Linux allows local attackers to execute code at root level. The Linux issue is caused by potential overlaps between the memory areas of the stack and shared memory segments.' SUSE maintainer Andrea Arcangeli provided a fix for the problem in September 2004, but for unknown reasons this fix was not included in the Linux kernel. The bug is not related to the X Server bug found by Brad Spengler." As the linked article notes: "SUSE itself has the fix and SUSE Linux Enterprise 9, 10 and 11 as well as openSUSE 11.1 through 11.3 do not exhibit this vulnerability."

15 of 131 comments (clear)

  1. Unrelated? The PDFs are the same! by Anonymous Coward · · Score: 4, Informative

    How can the two bugs be unrelated? both articles have the exact same link to the exact same PDF! (Hint: the pdf's filename is xorg-large-memory-attacks.pdf on both).

    1. Re:Unrelated? The PDFs are the same! by lortho · · Score: 5, Informative

      It's because both articles are actually about the Wojtczuk report, and they both mis-quote Joanna Rutkowska as stating the bug is related to Spengler's X-Server flaw. She clarifies in an update to H-Online's version of the article that she was misunderstood and that they are actually unrelated.

    2. Re:Unrelated? The PDFs are the same! by Peach+Rings · · Score: 4, Informative

      Also if you read linus's patch notes they're the exact same problem.

    3. Re:Unrelated? The PDFs are the same! by bjourne · · Score: 2, Informative

      I think that fixing the X server - one mitigation is to disable the MIT-SHM extension as discussed in the pdf - really reduces the exposure but since the real problem is in the kernel, it doesn't completely remove the threat.

      The shm extension is integral to all modern xorg servers. You *may* be able to run xorg without shm, but many programs will refuse to work and performance will drop to a few percent of what it is with shm enabled. It's the transport the X server uses for communication with its client. With shm (shared memory) disabled, it has to serialize all objects and send them over a socket which of course is dog slow.

      --
      Football Odds
  2. Re:Long live to SUSE??? by valeo.de · · Score: 2, Informative

    No, just that this particular bug has been patched in SUSE for six years, while mainline has only just gotten the fix.

    --
    cat: /home/valeo/.sig: No such file or directory
  3. Nothing to see here.... by interfecio · · Score: 3, Informative

    From the RedHat bug report: Eugene Teo (Security Response) 2010-08-12 21:44:06 EDT Linus has committed a fix for this issue: http://git.kernel.org/linus/320b2b8de12698082609ebbc1a17165727f4c893

    1. Re:Nothing to see here.... by Target+Practice · · Score: 2, Informative

      It's not, but the Linux kernel is... and that's where the vulnerability is...

      --
      There's a 68.71% chance you're right.
    2. Re:Nothing to see here.... by LingNoi · · Score: 2, Informative

      Race?

      The most popular distros already patched it days ago and others are currently in testing.

      Redhat patched it 2 days ago.
      Ubuntu patched it 2 days ago.
      Fedora is currently testing the patches. Not sure if it's already live.
      Debian Lenny has patched it.

  4. Re:Wait... what? by Short+Circuit · · Score: 2, Informative

    If I read the git patch correctly, if said root process has a memory-mapped page coincident with a non-root process, and the non-root process can write to said memory mapped region (via having it memory mapped into their own process), then said non-root process can affect the behavior of the root process.

    What was broken, and appears to have been corrected, is that an application's *stack* could grow into a memory-mapped page and corrupt the data in the root process while it's at it. (The stack is a piece of memory that hold data about the functions currently executing in a particular thread in your program.)

    (enter educated guess section; I spend most of my time coding userland apps on Windows, not Linux.)

    The case where this seems most possible to exploit is the loading of shared libraries. I don't know if the same mmap mechanism is used by the kernel, though. While it's entirely probable that writing to that region is protected, so long as the application is doing so under its own memory privilege level, it's possible that there's a syscall into the kernel that expands a thread's stack when the allocated memory for that stack is nearly exhausted. The syscall's operations run with kernel privileges, and it looks like the stack page allocator wasn't sufficiently checking the properties of the userland address it was allocating stack into.

    (end educated guess section; I'm probably wrong, anyway.)

    --
    tasks(723) drafts(105) languages(484) examples(29106)
  5. Re:Wait... what? by mandelbr0t · · Score: 4, Informative

    Actually, no, this is a simple Stack Buffer Overflow. Basically, by causing a running privileged process (e.g. X Server) to make a recursive call, the stack will grow into memory space owned by the unprivileged user. Now, all the unprivileged user has to do is put some code somewhere (perhaps by exploiting another buffer overflow) and rewrite the return address, which lives in its memory page.

    The fix adds a guard page between the shared memory region and the system stack to protect against the stack growing into memory where it is no longer protected. At any rate, ProPolice would have prevented this mistake from being exploitable.

    --
    "Please describe the scientific nature of the 'whammy'" - Agent Scully
  6. Re:Long live to SUSE??? by alanebro · · Score: 5, Informative

    Cut my post too short.

    "SUSE maintainer Andrea Arcangeli provided a fix for the problem in September 2004, but for unknown reasons this fix was not included in the Linux kernel"

  7. Re: Ask the Kernel Overlords by Zero__Kelvin · · Score: 4, Informative

    "I've seen many similar statements, so there may be some truth to this, but my experience is that they give you a short-as-possible only-most-relevant question such as "Can you bisect?" or reply like "Patch rejected: missing signoff". It appears their time is very valuable or they have to pay $5 pr. typed letter"

    Behold the phenomenal power off Open Source! The time of each and every kernel developer is in fact a highly valuable commodity, yet I get the benefit of the fruits of their labor without shelling out a sixpence! And the best part? This was fixed last week.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  8. Already fixed in Ubuntu by LingNoi · · Score: 4, Informative

    So I read the PDF...

    The Linux kernel versions that include the commit 320b2b8de12698082609ebbc1a17165727f4c893 from Linus tree are fixed.

    which is the patch.. "Patch "mm: keep a guard page below a grow-down stack segment" has been added to the 2.6.32-stable tree"

    and meanwhile my ubuntu update managaer pops up and shows an update for the kernel and gives the following link to the changelog...
    http://launchpad.net/ubuntu/+source/linux/2.6.32-24.41/+changelog

    * mm: keep a guard page below a grow-down stack segment - CVE-2010-2240

    Nice to see people are on the ball with security updates, even if it shouldn't have been happened in the first place.

  9. you didn't do it right by Chirs · · Score: 4, Informative

    If you really want to get a fix in, the correct procedure is to keep pestering the maintainer for that area until they accept your patch. If you can't get them to accept it, you go up the chain.

    Yes, in an ideal world all maintainers would be perfectly organized. In the real world things get lost, they get distracted, other issues pop up, and the patch doesn' t make it in.

    If you care about it...make some noise.

  10. Re:Wow! Linux is really Secure. by rolfc · · Score: 2, Informative

    Yes, something is seriously wrong with this comparison. You compare a clean and unused operatingsystem with a fullfledged Linuxdistribution with a lot of applications.

    Of course the Linuxdistribution will have more bugs, but you dont have to install all the software that comes with it. On the other hand, to be able to use the Windows server to something useful, you have to install more Microsoft and/or thirdparty software. It isnt even a webserver without installing more software in Secunias statistics. IIS has its own category.

    Dont compare apples and pears, you will only fool yourself.