Re: CVE request: kernel: failure to revert address limit override in OOPS error path

[Josh Bressers <bressers () redhat com>]

Please use CVE-2010-4258 for this.

Thanks.

-- 
    JB


----- "Dan Rosenberg" <dan.j.rosenberg () gmail com> wrote:

> Nelson Elhage reported an issue in the Linux kernel.  When the kernel
> performs an address limit override via set_fs(KERNEL_DS) and
> subsequently faults or BUGs before restoring USER_DS, the error path
> includes calls to put_user() to a user-controlled address.  Calls to
> put_user() include access_ok() checks on the provided address to
> ensure it lies in userspace.  However, because of the address limit
> override, these checks will always pass in this case, allowing the
> process owner to turn an OOPS into a write to an arbitrary kernel
> address, which can easily lead to privilege escalation.
>
> This problem requires an additional vulnerability to exploit, but as
> Nelson points out, it's not too uncommon for such issues to exist.
> CVE-2010-3849 (NULL pointer dereference in Econet) is a recent
> example
> that can be triggered under KERNEL_DS and used to escalate privileges
> via this bug.
>
> Reference:
> http://marc.info/?l=linux-kernel&m=129117048916957&w=2
>
> -Dan