[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE request - kernel: execve: must clear current->clear_child_tid
From:       "Steven M. Christey" <coley () linus ! mitre ! org>
Date:       2009-08-18 20:51:58
Message-ID: Pine.GSO.4.51.0908181649520.17763 () faron ! mitre ! org
[Download RAW message or body]


On Tue, 4 Aug 2009, Eugene Teo wrote:

> The integer location is a user provided pointer, provided at clone() time.
>
> kernel keeps this pointer value into current->clear_child_tid.
>
> At execve() time, we should make sure kernel doesnt keep this user
> provided pointer, as full user memory is replaced by a new one.
>
>...
>
> Patch is not in upstream kernel yet.

I assumed 2.6.30-rc6 and earlier at this stage.

======================================================
Name: CVE-2009-2848
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2848
Reference: MLIST:[linux-kernel] 20090801 [PATCH v2] execve: must clear current->clear_child_tid
Reference: URL:http://article.gmane.org/gmane.linux.kernel/871942
Reference: MLIST:[oss-security] 20090804 CVE request - kernel: execve: must clear current->clear_child_tid
Reference: URL:http://www.openwall.com/lists/oss-security/2009/08/04/2
Reference: MLIST:[oss-security] 20090805 Re: CVE request - kernel: execve: must clear current->clear_child_tid
Reference: URL:http://www.openwall.com/lists/oss-security/2009/08/05/10

The execve function in the Linux kernel, possibly 2.6.30-rc6 and
earlier, does not properly clear the current->clear_child_tid pointer,
which allows local users to cause a denial of service (memory
corruption) via a clone system call with CLONE_CHILD_SETTID or
CLONE_CHILD_CLEARTID enabled, which is not properly handled during
thread creation and exit.

[prev in list] [next in list] [prev in thread] [next in thread]