CVE-2010-0415

First published: Sun Feb 07 2010(Updated: )

Description of problem: Ramon de C. Valle spotted a problem in sys_move_pages, where "node" value is read from userspace, but not limited to the node set within the kernel itself. Due to the bit tests in mm/migrate.c:do_move_pages it is easy to read out the kernel memory (as node can also be negative). (The node_isset and node_state functions just map to test_bit, which has no limiter in the normal implementations.) There also is (in my eyes) the chance we can corrupt kernel memory later on if we have all the right bits setup, but I did not research this further. Issue was present starting as sys_move_pages was introduced in 2.6.18. Solved in mainline by commit below. commit 6f5a55f1a6c5abee15a0e878e5c74d9f1569b8b0 Author: Linus Torvalds <torvalds> Date: Fri Feb 5 16:16:50 2010 -0800 Fix potential crash with sys_move_pages We incorrectly depended on the 'node_state/node_isset()' functions testing the node range, rather than checking it explicitly. That's not reliable, even if it might often happen to work. So do the proper explicit test. Reported-by: Marcus Meissner <meissner> Acked-and-tested-by: Brice Goglin <Brice.Goglin> Acked-by: Hugh Dickins <hugh.dickins.uk> Cc: stable Signed-off-by: Linus Torvalds <torvalds> Acknowledgements: Red Hat would like to thank Ramon de C. Valle for reporting this issue.

Credit: secalert@redhat.com

Affected Software	Affected Version	How to fix
Linux Linux kernel	=2.6.11
Linux Linux kernel	=2.6.23.4
Linux Linux kernel	=2.6.16.16
Linux Linux kernel	=2.6.18.7
Linux Linux kernel	=2.6.17.12
Linux Linux kernel	=2.6.16.9
Linux Linux kernel	=2.6.17.9
Linux Linux kernel	=2.6.11.2
Linux Linux kernel	=2.6.5
Linux Linux kernel	=2.6.15.3
Linux Linux kernel	=2.6.11.10
Linux Linux kernel	=2.6.1
Linux Linux kernel	=2.6.16.6
Linux Linux kernel	=2.6.16.8
Linux Linux kernel	=2.6.22.4
Linux Linux kernel	=2.6.14.7
Linux Linux kernel	=2.6.13
Linux Linux kernel	=2.6.17.2
Linux Linux kernel	=2.6.13.3
Linux Linux kernel	=2.6.11.8
Linux Linux kernel	=2.6.23.7
Linux Linux kernel	=2.6.17.8
Linux Linux kernel	=2.6.14.4
Linux Linux kernel	=2.6.14
Linux Linux kernel	=2.6.17.4
Linux Linux kernel	=2.6.16.18
Linux Linux kernel	=2.6.17.14
Linux Linux kernel	=2.6.10
Linux Linux kernel	=2.6.14.3
Linux Linux kernel	=2.6.24-rc3
Linux Linux kernel	=2.6.18.3
Linux Linux kernel	=2.6.11.6
Linux Linux kernel	=2.6.11.11
Linux Linux kernel	=2.6.16.13
Linux Linux kernel	=2.6.3
Linux Linux kernel	=2.6.32
Linux Linux kernel	=2.6.16.4
Linux Linux kernel	=2.6.17.3
Linux Linux kernel	=2.6.32.3
Linux Linux kernel	=2.6.22
Linux Linux kernel	=2.6.4
Linux Linux kernel	=2.6.16.15
Linux Linux kernel	=2.6.15.6
Linux Linux kernel	=2.6.24-rc5
Linux Linux kernel	=2.6.15.1
Linux Linux kernel	=2.6.11.5
Linux Linux kernel	=2.6.18.4
Linux Linux kernel	=2.6.33-rc1
Linux Linux kernel	=2.6.16.1
Linux Linux kernel	=2.6.18.1
Linux Linux kernel	=2.6.23.1
Linux Linux kernel	=2.6.2
Linux Linux kernel	=2.6.14.5
Linux Linux kernel	=2.6.13.2
Linux Linux kernel	=2.6.17.5
Linux Linux kernel	=2.6.24-rc4
Linux Linux kernel	=2.6.18.5
Linux Linux kernel	=2.6.13.5
Linux Linux kernel	=2.6.17
Linux Linux kernel	=2.6.16.11
Linux Linux kernel	=2.6.16.14
Linux Linux kernel	<=2.6.33
Linux Linux kernel	=2.6.33-rc2
Linux Linux kernel	=2.6.16.25
Linux Linux kernel	=2.6.16.21
Linux Linux kernel	=2.6.8
Linux Linux kernel	=2.6.16.28
Linux Linux kernel	=2.6.17.10
Linux Linux kernel	=2.6.14.1
Linux Linux kernel	=2.6.16.23
Linux Linux kernel	=2.6.12.5
Linux Linux kernel	=2.6.15.7
Linux Linux kernel	=2.6.22.7
Linux Linux kernel	=2.6.16.3
Linux Linux kernel	=2.6.24-rc1
Linux Linux kernel	=2.6.14.6
Linux Linux kernel	=2.6.12.1
Linux Linux kernel	=2.6.11.9
Linux Linux kernel	=2.6.17.1
Linux Linux kernel	=2.6.0
Linux Linux kernel	=2.6.13.4
Linux Linux kernel	=2.6.23-rc2
Linux Linux kernel	=2.6.22.6
Linux Linux kernel	=2.6.23.3
Linux Linux kernel	=2.6.18.8
Linux Linux kernel	=2.6.22.3
Linux Linux kernel	=2.6.12.2
Linux Linux kernel	=2.6.16.31
Linux Linux kernel	=2.6.16.26
Linux Linux kernel	=2.6.18.2
Linux Linux kernel	=2.6.16.29
Linux Linux kernel	=2.6.23-rc1
Linux Linux kernel	=2.6.16
Linux Linux kernel	=2.6.15.2
Linux Linux kernel	=2.6.16.22
Linux Linux kernel	=2.6.17.11
Linux Linux kernel	=2.6.16.10
Linux Linux kernel	=2.6.12.4
Linux Linux kernel	=2.6.11.3
Linux Linux kernel	=2.6.16.24
Linux Linux kernel	=2.6.23
Linux Linux kernel	=2.6.12.3
Linux Linux kernel	=2.6.23.2
Linux Linux kernel	=2.6.7
Linux Linux kernel	=2.6.32.4
Linux Linux kernel	=2.6.16.30
Linux Linux kernel	=2.6.15.4
Linux Linux kernel	=2.6.24-rc2
Linux Linux kernel	=2.6.16.17
Linux Linux kernel	=2.6.16.12
Linux Linux kernel	<=2.6.33
Linux Linux kernel	=2.6.16.27
Linux Linux kernel	=2.6.12.6
Linux Linux kernel	=2.6.17.7
Linux Linux kernel	=2.6.11.7
Linux Linux kernel	=2.6.16.2
Linux Linux kernel	=2.6.18.6
Linux Linux kernel	=2.6.15
Linux Linux kernel	=2.6.33-rc4
Linux Linux kernel	=2.6.23.5
Linux Linux kernel	=2.6.32.2
Linux Linux kernel	=2.6.17.6
Linux Linux kernel	=2.6.23.6
Linux Linux kernel	=2.6.16.7
Linux Linux kernel	=2.6.32.1
Linux Linux kernel	=2.6.17.13
Linux Linux kernel	=2.6.22.2
Linux Linux kernel	=2.6.8.1
Linux Linux kernel	=2.6.22.5
Linux Linux kernel	=2.6.16.5
Linux Linux kernel	=2.6.11.4
Linux Linux kernel	=2.6.16.19
Linux Linux kernel	=2.6.11.12
Linux Linux kernel	=2.6.16.20
Linux Linux kernel	=2.6.15.5
Linux Linux kernel	=2.6.11.1
Linux Linux kernel	=2.6.33-rc5
Linux Linux kernel	=2.6.9
Linux Linux kernel	=2.6.13.1
Linux Linux kernel	=2.6.6
Linux Linux kernel	=2.6.12

Remedy

http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.33-rc7

CVE-2010-0415

Remedy

Never miss a vulnerability like this again

Reference Links

Company

Resources

Contact