CVE-2010-4258

Bug #723945 reported by Brad Figg
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Won't Fix
Undecided
Brad Figg
Hardy
Fix Released
Undecided
Brad Figg
Karmic
Fix Released
Undecided
Brad Figg
Lucid
Fix Released
Undecided
Unassigned
Maverick
Fix Released
Undecided
Unassigned
Natty
Fix Released
Undecided
Unassigned
linux-fsl-imx51 (Ubuntu)
Invalid
Undecided
Unassigned
Dapper
Invalid
Undecided
Unassigned
Hardy
Invalid
Undecided
Unassigned
Karmic
Won't Fix
Undecided
Unassigned
Lucid
Fix Released
Undecided
Unassigned
Maverick
Invalid
Undecided
Unassigned
Natty
Invalid
Undecided
Unassigned
linux-lts-backport-maverick (Ubuntu)
Invalid
Undecided
Unassigned
Dapper
Won't Fix
Undecided
Unassigned
Hardy
Won't Fix
Undecided
Unassigned
Karmic
Won't Fix
Undecided
Unassigned
Lucid
Won't Fix
Undecided
Unassigned
Maverick
Won't Fix
Undecided
Unassigned
Natty
Invalid
Undecided
Unassigned
linux-mvl-dove (Ubuntu)
Invalid
Undecided
Unassigned
Dapper
Invalid
Undecided
Unassigned
Hardy
Invalid
Undecided
Unassigned
Karmic
Invalid
Undecided
Unassigned
Lucid
Won't Fix
Undecided
Paolo Pisati
Maverick
Won't Fix
Undecided
Paolo Pisati
Natty
Invalid
Undecided
Unassigned
linux-ti-omap4 (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Invalid
Undecided
Unassigned
Hardy
Invalid
Undecided
Unassigned
Karmic
Invalid
Undecided
Unassigned
Lucid
Invalid
Undecided
Unassigned
Maverick
Fix Released
Undecided
Paolo Pisati
Natty
Fix Released
Undecided
Unassigned

Bug Description

If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not
otherwise reset before do_exit(). do_exit may later (via mm_release in
fork.c) do a put_user to a user-controlled address, potentially allowing
a user to leverage an oops into a controlled write into kernel memory.

This is only triggerable in the presence of another bug, but this
potentially turns a lot of DoS bugs into privilege escalations, so it's
worth fixing. I have proof-of-concept code which uses this bug along
with CVE-2010-3849 to write a zero to an arbitrary kernel address, so
I've tested that this is not theoretical.

A more logical place to put this fix might be when we know an oops has
occurred, before we call do_exit(), but that would involve changing
every architecture, in multiple places.

Let's just stick it in do_exit instead.

Brad Figg (brad-figg)
security vulnerability: no → yes
description: updated
Nelson Elhage (nelhage)
summary: - CVE-2010-4258
+ lockdep warning in KSM
Revision history for this message
Brad Figg (brad-figg) wrote :

@nelson,

Do not change the title on any of the CVE tracking bugs.

Thanks

summary: - lockdep warning in KSM
+ CVE-2010-4258
Revision history for this message
Nelson Elhage (nelhage) wrote :

If that title was intentional, I think you have the wrong CVE here -- CVE-2010-4258 is a bug in do_exit that has nothing to do with ksm or lockdep: see https://www.redhat.com/security/data/cve/CVE-2010-4258.html

Revision history for this message
Nelson Elhage (nelhage) wrote :

Interesting, the commit message quoted here is the commit immediately *before* the one that fixes CVE-2010-4258 (a0b0f58cdd32ab363a600a294ddaa90f0c32de8c vs. 33dd94ae1ccbfb7bf0fb6c692bc3d1c4269e6177). So I'm guessing someone's import scripts have an off-by-one or someone copy-pasted the wrong sha1 somewhere. Sorry for the confusion here, I thought I was fixing a CVE that had mistakenly gotten attached, but it looks like it's the description that somehow got pulled in from the wrong place, instead.

Revision history for this message
Brad Figg (brad-figg) wrote :

@nelson,

Thanks for the pointer, I'll look into it.

description: updated
Revision history for this message
Brad Figg (brad-figg) wrote :

@nelson,

You saved my butt on that. I don't know how I got those commits crossed but it was all me, no tools involved.

Brad

Brad Figg (brad-figg)
Changed in linux (Ubuntu Natty):
status: New → Fix Released
Tim Gardner (timg-tpi)
Changed in linux (Ubuntu Dapper):
assignee: nobody → Brad Figg (brad-figg)
status: New → Fix Committed
Changed in linux (Ubuntu Hardy):
assignee: nobody → Brad Figg (brad-figg)
status: New → Fix Committed
Changed in linux (Ubuntu Karmic):
assignee: nobody → Brad Figg (brad-figg)
status: New → Fix Committed
Changed in linux-mvl-dove (Ubuntu Natty):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Natty):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Natty):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Lucid):
status: New → Confirmed
Changed in linux-ti-omap4 (Ubuntu Maverick):
status: New → Confirmed
Changed in linux-ti-omap4 (Ubuntu Natty):
status: New → Confirmed
Changed in linux-ti-omap4 (Ubuntu Dapper):
status: New → Confirmed
Changed in linux-ti-omap4 (Ubuntu Hardy):
status: New → Confirmed
Changed in linux-ti-omap4 (Ubuntu Karmic):
status: New → Confirmed
Brad Figg (brad-figg)
tags: added: kernel-cve-tracking-bug
Paolo Pisati (p-pisati)
Changed in linux-ti-omap4 (Ubuntu Dapper):
status: Confirmed → Invalid
Changed in linux-ti-omap4 (Ubuntu Hardy):
status: Confirmed → Invalid
Changed in linux-ti-omap4 (Ubuntu Karmic):
status: Confirmed → Invalid
Changed in linux-ti-omap4 (Ubuntu Lucid):
status: Confirmed → Invalid
Changed in linux-mvl-dove (Ubuntu Dapper):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Hardy):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Karmic):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Lucid):
assignee: nobody → Paolo Pisati (p-pisati)
Changed in linux-mvl-dove (Ubuntu Maverick):
assignee: nobody → Paolo Pisati (p-pisati)
Paolo Pisati (p-pisati)
Changed in linux-ti-omap4 (Ubuntu Maverick):
assignee: nobody → Paolo Pisati (p-pisati)
Revision history for this message
Paolo Pisati (p-pisati) wrote :

maverick/ti-omap4: already fixed in 472dee75
natty/ti-omap4: already fixed in 33dd94ae

Changed in linux-ti-omap4 (Ubuntu Maverick):
status: Confirmed → Fix Released
Changed in linux-ti-omap4 (Ubuntu Natty):
status: Confirmed → Fix Released
Revision history for this message
Paolo Pisati (p-pisati) wrote :

lucid/master: fixed in ca59f93c
maverick/master: fixed in 472dee75

Changed in linux (Ubuntu Lucid):
status: New → Fix Released
Changed in linux (Ubuntu Maverick):
status: New → Fix Released
Paolo Pisati (p-pisati)
Changed in linux (Ubuntu Karmic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.24-29.88

---------------
linux (2.6.24-29.88) hardy-proposed; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #736290

  [Steve Conklin]

  * Ubuntu-2.6.24-29.87
  * [Config] Allow insertchanges to work in later version chroots

  [Upstream Kernel Changes]

  * do_exit(): make sure that we run with get_fs() == USER_DS,
    CVE-2010-4258
    - LP: #723945
    - CVE-2010-4258
  * Make the bulkstat_one compat ioctl handling more sane
    - LP: #692848
  * Fix xfs_bulkstat_one size checks & error handling
    - LP: #692848
  * xfs: always use iget in bulkstat
    - LP: #692848
  * x25: Prevent crashing when parsing bad X.25 facilities CVE-2010-4164
    - LP: #731199
    - CVE-2010-4164
  * Revised [CVE-2010-4346 Hardy] install_special_mapping skips
    security_file_mmap check. CVE-2010-4346
    - LP: #731971
    - CVE-2010-4346

linux (2.6.24-29.87) hardy-proposed; urgency=low

  [ Steve Conklin ]

  * Release Tracking Bug
    - LP: #725138

  [Upstream Kernel Changes]

  * bluetooth: Fix missing NULL check, CVE-2010-4242
    - LP: #714846
    - CVE-2010-4242
  * NFS: fix the return value of nfs_file_fsync()
    - LP: #585657
  * bio: take care not overflow page count when mapping/copying user data,
    CVE-2010-4162
    - LP: #721441
    - CVE-2010-4162
  * filter: make sure filters dont read uninitialized memory
    - LP: #721282
    - CVE-2010-4158
  * tty: Make tiocgicount a handler, CVE-2010-4076, CVE-2010-4077
    - LP: #720189
    - CVE-2010-4077
  * block: check for proper length of iov entries earlier in
    blk_rq_map_user_iov(), CVE-2010-4163
    - LP: #721504
    - CVE-2010-4163
 -- Brad Figg <email address hidden> Wed, 16 Mar 2011 09:43:35 -0700

Changed in linux (Ubuntu Hardy):
status: Fix Committed → Fix Released
Paolo Pisati (p-pisati)
Changed in linux-mvl-dove (Ubuntu Lucid):
status: New → In Progress
Revision history for this message
Paolo Pisati (p-pisati) wrote :

karmic is EOL

Changed in linux-fsl-imx51 (Ubuntu Dapper):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Hardy):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Maverick):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Karmic):
status: New → Won't Fix
Paolo Pisati (p-pisati)
Changed in linux-fsl-imx51 (Ubuntu Lucid):
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.2 KiB)

This bug was fixed in the package linux-fsl-imx51 - 2.6.31-609.26

---------------
linux-fsl-imx51 (2.6.31-609.26) lucid; urgency=low

  [ Paolo Pisati ]

  * Tracking bug
    - LP: #795219
  * [Config] Disable parport_pc on fsl-imx51
    - LP: #601226

  [ Upstream Kernel Changes ]

  * ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory
    - LP: #712723, #712737
  * can-bcm: fix minor heap overflow
    - LP: #710680
  * drivers/video/via/ioctl.c: prevent reading uninitialized stack memory
    - LP: #712744
  * gdth: integer overflow in ioctl
    - LP: #711797
  * inet_diag: Make sure we actually run the same bytecode we audited, CVE-2010-3880
    - LP: #711865
    - CVE-2010-3880
  * net: fix rds_iovec page count overflow, CVE-2010-3865
    - LP: #709153
    - CVE-2010-3865
  * net: packet: fix information leak to userland, CVE-2010-3876
    - LP: #711045
    - CVE-2010-3876
  * net: tipc: fix information leak to userland, CVE-2010-3877
    - LP: #711291
    - CVE-2010-3877
  * net: Truncate recvfrom and sendto length to INT_MAX.
    - LP: #708839
  * posix-cpu-timers: workaround to suppress the problems with mt exec
    - LP: #712609
  * sys_semctl: fix kernel stack leakage
    - LP: #712749
  * x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.
    - LP: #709372
  * memory corruption in X.25 facilities parsing
    - LP: #709372
  * net: ax25: fix information leak to userland, CVE-2010-3875
    - LP: #710714
    - CVE-2010-3875
  * net: ax25: fix information leak to userland harder, CVE-2010-3875
    - LP: #710714
    - CVE-2010-3875
  * fs/partitions/ldm.c: fix oops caused by corrupted partition table, CVE-2011-1017
    - LP: #771382
    - CVE-2011-1017
  * net: clear heap allocations for privileged ethtool actions
    - LP: #771445
  * Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal code
    - LP: #772543
  * Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo
    - LP: #772543
  * exec: make argv/envp memory visible to oom-killer
    - LP: #768408
  * next_pidmap: fix overflow condition
    - LP: #784727
  * proc: do proper range check on readdir offset
    - LP: #784727
  * mpt2sas: prevent heap overflows and unchecked reads
    - LP: #787145
  * agp: fix arbitrary kernel memory writes
    - LP: #788684
  * can: add missing socket check in can/raw release
    - LP: #788694
  * agp: fix OOM and buffer overflow
    - LP: #788700
  * do_exit(): make sure that we run with get_fs() == USER_DS - CVE-2010-4258
    - LP: #723945
    - CVE-2010-4258
  * x25: Prevent crashing when parsing bad X.25 facilities - CVE-2010-4164
    - LP: #731199
    - CVE-2010-4164
  * install_special_mapping skips security_file_mmap check - CVE-2010-4346
    - LP: #731971
    - CVE-2010-4346
  * econet: Fix crash in aun_incoming() - CVE-2010-4342
    - LP: #736394
    - CVE-2010-4342
  * sound: Prevent buffer overflow in OSS load_mixer_volumes - CVE-2010-4527
    - LP: #737073
    - CVE-2010-4527
  * irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529
    - LP: #737823
    - CVE-2010-4529
  * CAN: Use inode instead of kernel address for /proc file - CVE-2010-4565
    - LP: #765007...

Read more...

Changed in linux-fsl-imx51 (Ubuntu Lucid):
status: In Progress → Fix Released
Changed in linux-lts-backport-maverick (Ubuntu Dapper):
status: New → Won't Fix
Changed in linux-lts-backport-maverick (Ubuntu Karmic):
status: New → Won't Fix
Changed in linux (Ubuntu Dapper):
status: Fix Committed → Won't Fix
Changed in linux-lts-backport-maverick (Ubuntu Hardy):
status: New → Won't Fix
Changed in linux-mvl-dove (Ubuntu Maverick):
status: New → Won't Fix
Changed in linux-lts-backport-maverick (Ubuntu Lucid):
status: New → Won't Fix
Changed in linux-lts-backport-maverick (Ubuntu Maverick):
status: New → Won't Fix
Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in linux-mvl-dove (Ubuntu Lucid):
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.