CVE-2010-4258
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Dapper |
Won't Fix
|
Undecided
|
Brad Figg | ||
Hardy |
Fix Released
|
Undecided
|
Brad Figg | ||
Karmic |
Fix Released
|
Undecided
|
Brad Figg | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
Maverick |
Fix Released
|
Undecided
|
Unassigned | ||
Natty |
Fix Released
|
Undecided
|
Unassigned | ||
linux-fsl-imx51 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Dapper |
Invalid
|
Undecided
|
Unassigned | ||
Hardy |
Invalid
|
Undecided
|
Unassigned | ||
Karmic |
Won't Fix
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
Maverick |
Invalid
|
Undecided
|
Unassigned | ||
Natty |
Invalid
|
Undecided
|
Unassigned | ||
linux-lts-backport-maverick (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Dapper |
Won't Fix
|
Undecided
|
Unassigned | ||
Hardy |
Won't Fix
|
Undecided
|
Unassigned | ||
Karmic |
Won't Fix
|
Undecided
|
Unassigned | ||
Lucid |
Won't Fix
|
Undecided
|
Unassigned | ||
Maverick |
Won't Fix
|
Undecided
|
Unassigned | ||
Natty |
Invalid
|
Undecided
|
Unassigned | ||
linux-mvl-dove (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Dapper |
Invalid
|
Undecided
|
Unassigned | ||
Hardy |
Invalid
|
Undecided
|
Unassigned | ||
Karmic |
Invalid
|
Undecided
|
Unassigned | ||
Lucid |
Won't Fix
|
Undecided
|
Paolo Pisati | ||
Maverick |
Won't Fix
|
Undecided
|
Paolo Pisati | ||
Natty |
Invalid
|
Undecided
|
Unassigned | ||
linux-ti-omap4 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Dapper |
Invalid
|
Undecided
|
Unassigned | ||
Hardy |
Invalid
|
Undecided
|
Unassigned | ||
Karmic |
Invalid
|
Undecided
|
Unassigned | ||
Lucid |
Invalid
|
Undecided
|
Unassigned | ||
Maverick |
Fix Released
|
Undecided
|
Paolo Pisati | ||
Natty |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not
otherwise reset before do_exit(). do_exit may later (via mm_release in
fork.c) do a put_user to a user-controlled address, potentially allowing
a user to leverage an oops into a controlled write into kernel memory.
This is only triggerable in the presence of another bug, but this
potentially turns a lot of DoS bugs into privilege escalations, so it's
worth fixing. I have proof-of-concept code which uses this bug along
with CVE-2010-3849 to write a zero to an arbitrary kernel address, so
I've tested that this is not theoretical.
A more logical place to put this fix might be when we know an oops has
occurred, before we call do_exit(), but that would involve changing
every architecture, in multiple places.
Let's just stick it in do_exit instead.
security vulnerability: | no → yes |
description: | updated |
summary: |
- CVE-2010-4258 + lockdep warning in KSM |
Changed in linux (Ubuntu Natty): | |
status: | New → Fix Released |
Changed in linux (Ubuntu Dapper): | |
assignee: | nobody → Brad Figg (brad-figg) |
status: | New → Fix Committed |
Changed in linux (Ubuntu Hardy): | |
assignee: | nobody → Brad Figg (brad-figg) |
status: | New → Fix Committed |
Changed in linux (Ubuntu Karmic): | |
assignee: | nobody → Brad Figg (brad-figg) |
status: | New → Fix Committed |
Changed in linux-mvl-dove (Ubuntu Natty): | |
status: | New → Invalid |
Changed in linux-fsl-imx51 (Ubuntu Natty): | |
status: | New → Invalid |
Changed in linux-lts-backport-maverick (Ubuntu Natty): | |
status: | New → Invalid |
Changed in linux-ti-omap4 (Ubuntu Lucid): | |
status: | New → Confirmed |
Changed in linux-ti-omap4 (Ubuntu Maverick): | |
status: | New → Confirmed |
Changed in linux-ti-omap4 (Ubuntu Natty): | |
status: | New → Confirmed |
Changed in linux-ti-omap4 (Ubuntu Dapper): | |
status: | New → Confirmed |
Changed in linux-ti-omap4 (Ubuntu Hardy): | |
status: | New → Confirmed |
Changed in linux-ti-omap4 (Ubuntu Karmic): | |
status: | New → Confirmed |
tags: | added: kernel-cve-tracking-bug |
Changed in linux-ti-omap4 (Ubuntu Dapper): | |
status: | Confirmed → Invalid |
Changed in linux-ti-omap4 (Ubuntu Hardy): | |
status: | Confirmed → Invalid |
Changed in linux-ti-omap4 (Ubuntu Karmic): | |
status: | Confirmed → Invalid |
Changed in linux-ti-omap4 (Ubuntu Lucid): | |
status: | Confirmed → Invalid |
Changed in linux-mvl-dove (Ubuntu Dapper): | |
status: | New → Invalid |
Changed in linux-mvl-dove (Ubuntu Hardy): | |
status: | New → Invalid |
Changed in linux-mvl-dove (Ubuntu Karmic): | |
status: | New → Invalid |
Changed in linux-mvl-dove (Ubuntu Lucid): | |
assignee: | nobody → Paolo Pisati (p-pisati) |
Changed in linux-mvl-dove (Ubuntu Maverick): | |
assignee: | nobody → Paolo Pisati (p-pisati) |
Changed in linux-ti-omap4 (Ubuntu Maverick): | |
assignee: | nobody → Paolo Pisati (p-pisati) |
Changed in linux (Ubuntu Karmic): | |
status: | Fix Committed → Fix Released |
Changed in linux-mvl-dove (Ubuntu Lucid): | |
status: | New → In Progress |
Changed in linux-fsl-imx51 (Ubuntu Lucid): | |
status: | New → In Progress |
Changed in linux-lts-backport-maverick (Ubuntu Dapper): | |
status: | New → Won't Fix |
Changed in linux-lts-backport-maverick (Ubuntu Karmic): | |
status: | New → Won't Fix |
Changed in linux (Ubuntu Dapper): | |
status: | Fix Committed → Won't Fix |
Changed in linux-lts-backport-maverick (Ubuntu Hardy): | |
status: | New → Won't Fix |
Changed in linux-mvl-dove (Ubuntu Maverick): | |
status: | New → Won't Fix |
Changed in linux-lts-backport-maverick (Ubuntu Lucid): | |
status: | New → Won't Fix |
Changed in linux-lts-backport-maverick (Ubuntu Maverick): | |
status: | New → Won't Fix |
@nelson,
Do not change the title on any of the CVE tracking bugs.
Thanks