Slashdot Mirror

← Back to Stories (view on slashdot.org)

Root Privileges Through Linux Kernel Bug

Posted by timothy on from the who-needs-windows? dept.

Lars T. writes "The H has a story about a Linux kernel bug that allows root level access. 'According to a report written by Rafal Wojtczuk (PDF), a conceptual problem in the memory management area of Linux allows local attackers to execute code at root level. The Linux issue is caused by potential overlaps between the memory areas of the stack and shared memory segments.' SUSE maintainer Andrea Arcangeli provided a fix for the problem in September 2004, but for unknown reasons this fix was not included in the Linux kernel. The bug is not related to the X Server bug found by Brad Spengler." As the linked article notes: "SUSE itself has the fix and SUSE Linux Enterprise 9, 10 and 11 as well as openSUSE 11.1 through 11.3 do not exhibit this vulnerability."

26 of 131 comments (clear)

  1. Unrelated? The PDFs are the same! by Anonymous Coward · · Score: 4, Informative

    How can the two bugs be unrelated? both articles have the exact same link to the exact same PDF! (Hint: the pdf's filename is xorg-large-memory-attacks.pdf on both).

    1. Re:Unrelated? The PDFs are the same! by NeverVotedBush · · Score: 4, Insightful

      I think what it is is that the Xorg server is an easy attack vector for the Linux kernel memory management issue.

      The memory management issue is the thing that enables using a flaw in the X server to escalate privilege. If you fix the X server to not allow that kind of manipulation, you still have the kernel memory management issue that could be used by some other application to escalate privilege.

      I think that fixing the X server - one mitigation is to disable the MIT-SHM extension as discussed in the pdf - really reduces the exposure but since the real problem is in the kernel, it doesn't completely remove the threat.

      At least that is how I understand it...

    2. Re:Unrelated? The PDFs are the same! by lortho · · Score: 5, Informative

      It's because both articles are actually about the Wojtczuk report, and they both mis-quote Joanna Rutkowska as stating the bug is related to Spengler's X-Server flaw. She clarifies in an update to H-Online's version of the article that she was misunderstood and that they are actually unrelated.

    3. Re:Unrelated? The PDFs are the same! by Peach+Rings · · Score: 4, Informative

      Also if you read linus's patch notes they're the exact same problem.

  2. Nothing to see here.... by interfecio · · Score: 3, Informative

    From the RedHat bug report: Eugene Teo (Security Response) 2010-08-12 21:44:06 EDT Linus has committed a fix for this issue: http://git.kernel.org/linus/320b2b8de12698082609ebbc1a17165727f4c893

    1. Re:Nothing to see here.... by JohnFluxx · · Score: 5, Insightful

      I don't agree that it's "nothing to see here" - something has gone wrong if it took 6 years for this to happen.

    2. Re:Nothing to see here.... by Americano · · Score: 4, Insightful

      Nothing to see here? Will you say the same thing when Microsoft waits 6 years to apply a fix to WinXP? :)

      Yes, these things are less likely to happen with Linux. That doesn't mean Linux kernel processes are above reproach, and can't be made more responsive & accountable in cases like this where somebody obviously dropped the ball on merging a patch somewhere. I hope they spend a little time reviewing how this got missed, to make sure it's not a flaw in their process that could allow it to happen again.

    3. Re:Nothing to see here.... by Beelzebud · · Score: 3, Funny

      "Nothing to see here....." says Lt. Frank Drebin, as the fireworks factory behind him burns to the ground.

    4. Re:Nothing to see here.... by petermgreen · · Score: 3, Insightful

      Agreed it would be good to know where the breakdown in communication happened. Did it get ignored because the submitter didn't realise it was a security issue and report it as such? Did someone just miss an email somewhere? (and if so why wasn't there a system in place to keep track of current security bugs and make it bloody obvious which ones still needed fixing along with someone responsible for looking at that list and fixing them). Was the breakdown on the SUSE side or the upstream side?

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    5. Re:Nothing to see here.... by Warll · · Score: 4, Funny

      He's right, real men don't look at explosions.

    6. Re:Nothing to see here.... by jittles · · Score: 4, Interesting

      My guess would be an oversight at kernel.org. I submitted a kernel patch to the USB HID driver back in the days of 2.6.10 and 2.6.13. The driver was incorrectly suspending its state (I can't remember what it was doing off the top of my head) while it held onto a spinlock. The result was 100% CPU utilization when you called certain ioctls made available by the driver. The patch didn't make it in until 2.6.17 if I recall correctly, and not until someone with a name submitted a patch for it.

  3. Re:Linux! "It just works!" by nomadic · · Score: 5, Funny

    Indeed, 5 years old and no exploit. Patched several years ago by the distros. The question is why didn't it get back into the kernel tree.

    Why not ask the kernel developers? Nah, I'm not just joking, don't ask those nutjobs anything, they'll just freak out and start yelling at you.

  4. Re: Ask the Kernel Overlords by xiando · · Score: 4, Interesting

    Why not ask the kernel developers? Nah, I'm not just joking, don't ask those nutjobs anything, they'll just freak out and start yelling at you.

    I've seen many similar statements, so there may be some truth to this, but my experience is that they give you a short-as-possible only-most-relevant question such as "Can you bisect?" or reply like "Patch rejected: missing signoff". It appears their time is very valuable or they have to pay $5 pr. typed letter.

    --
    9/11: Never forget it was a false-flag operation
  5. Re:Wait... what? by mandelbr0t · · Score: 4, Informative

    Actually, no, this is a simple Stack Buffer Overflow. Basically, by causing a running privileged process (e.g. X Server) to make a recursive call, the stack will grow into memory space owned by the unprivileged user. Now, all the unprivileged user has to do is put some code somewhere (perhaps by exploiting another buffer overflow) and rewrite the return address, which lives in its memory page.

    The fix adds a guard page between the shared memory region and the system stack to protect against the stack growing into memory where it is no longer protected. At any rate, ProPolice would have prevented this mistake from being exploitable.

    --
    "Please describe the scientific nature of the 'whammy'" - Agent Scully
  6. Re:Linux! "It just works!" by MobileTatsu-NJG · · Score: 3, Insightful

    I wonder how many bugs like this are lurking in closed source products, just waiting to be discovered and exploited?

    I wonder how many bugs like this are lurking in open source projects, just waiting to be discovered and used against people that assume that the software they use is secure because they read Slashdot comments.

    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

  7. Re:ZOMG!!! by Dunbal · · Score: 3, Insightful

    What part of "local attackers" do you fail to understand?

    --
    Seven puppies were harmed during the making of this post.
  8. Re:ZOMG!!! by GameboyRMH · · Score: 4, Funny

    Cut the guy a break, he's a Windows fanboy. He probably thinks a local user is just anyone in the same geographic region.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  9. Re:Long live to SUSE??? by alanebro · · Score: 5, Informative

    Cut my post too short.

    "SUSE maintainer Andrea Arcangeli provided a fix for the problem in September 2004, but for unknown reasons this fix was not included in the Linux kernel"

  10. Re:Linux! "It just works!" by Hatta · · Score: 4, Insightful

    Indeed, 5 years old and no exploit.

    How do you know?

    --
    Give me Classic Slashdot or give me death!
  11. Re: Ask the Kernel Overlords by Zero__Kelvin · · Score: 4, Informative

    "I've seen many similar statements, so there may be some truth to this, but my experience is that they give you a short-as-possible only-most-relevant question such as "Can you bisect?" or reply like "Patch rejected: missing signoff". It appears their time is very valuable or they have to pay $5 pr. typed letter"

    Behold the phenomenal power off Open Source! The time of each and every kernel developer is in fact a highly valuable commodity, yet I get the benefit of the fruits of their labor without shelling out a sixpence! And the best part? This was fixed last week.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  12. Re:Tuesday by Gadget_Guy · · Score: 4, Funny

    At least we don't have to wait for four Tuesdays' time for the fix...

    No, we had to wait over 300 Tuesdays for the fix to the kernal. That's 75 times better!

  13. Already fixed in Ubuntu by LingNoi · · Score: 4, Informative

    So I read the PDF...

    The Linux kernel versions that include the commit 320b2b8de12698082609ebbc1a17165727f4c893 from Linus tree are fixed.

    which is the patch.. "Patch "mm: keep a guard page below a grow-down stack segment" has been added to the 2.6.32-stable tree"

    and meanwhile my ubuntu update managaer pops up and shows an update for the kernel and gives the following link to the changelog...
    http://launchpad.net/ubuntu/+source/linux/2.6.32-24.41/+changelog

    * mm: keep a guard page below a grow-down stack segment - CVE-2010-2240

    Nice to see people are on the ball with security updates, even if it shouldn't have been happened in the first place.

  14. Re:Wow! Linux is really Secure. by jours · · Score: 4, Insightful

    Look at this graph: http://linuxinsecurity.blogspot.com/

    Please do. Notice how the graphs show Windows with 10-12% of the issues unpatched?

    That's the problem. Well that and the missing graph showing "time to patch"...

    --
    This sig intentionally left blank.
  15. Re: Ask the Kernel Overlords by smash · · Score: 3, Interesting

    So, only 6 years late then? SuSE just went way up in my book.

    --
    I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
  16. you didn't do it right by Chirs · · Score: 4, Informative

    If you really want to get a fix in, the correct procedure is to keep pestering the maintainer for that area until they accept your patch. If you can't get them to accept it, you go up the chain.

    Yes, in an ideal world all maintainers would be perfectly organized. In the real world things get lost, they get distracted, other issues pop up, and the patch doesn' t make it in.

    If you care about it...make some noise.

  17. Obligatory... by Pete+Venkman · · Score: 4, Funny

    This won't be a problem for me since I don't run Linux.

    Now the shoe's on the other foot!