Vulnerability Note VU#981222

Linux kernel mremap(2) system call does not properly check return value from do_munmap() function

Original Release date: 10 Mar 2004 | Last revised: 25 Mar 2004

Overview

A vulnerability in the Linux mremap(2) system call could allow an authenticated, local attacker to execute arbitrary code with root privileges.

Description

The Linux kernel uses a linked list of vitrual memory area (VMA) descriptors to reference valid regions of the page table for a given process. VMA descriptors include information about the memory area such as start address, length, and page protection flags. A VMA effectively contains a range of page table entries (PTEs) that make up part of the page table.

The mremap(2) system call has the ability to resize or move a VMA or part of a VMA within a process' memory space. mremap(2) contains a function called do_munmap() that is used to unmap regions of memory during resize or move operations. There is a limit on the number of VMA descriptors that can exist at one time, and do_munmap() does not create a new VMA descriptor if doing so would exceed this limit.

In certain cases, mremap(2) does not properly check the return value from the do_munmap() function, and will map PTEs to new locations even though the expected VMAs have not been created or updated. By carefully manipulating VMA to PTE relationships, a local attacker can read from or write to memory owned by a process running with different privileges.

Further technical details are available in an advisory from iSEC. Note that this vulnerability is distinct from the one described in VU#490620/CAN-2003-0985.

Impact

An authenticated, local attacker could execute arbitrary code with root privileges.

Solution

Patch or Upgrade

Apply a patch or upgrade as specified by your vendor. This issue is resolved in Linux kernels 2.2.26, 2.4.25, and 2.6.3 from the Linux Kernel Archives.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
AstaroAffected-25 Mar 2004
ConectivaAffected10 Mar 200411 Mar 2004
DebianAffected10 Mar 200411 Mar 2004
Fedora Legacy ProjectAffected-25 Mar 2004
Fedora ProjectAffected-25 Mar 2004
Gentoo LinuxAffected-11 Mar 2004
Linux Kernel ArchivesAffected-10 Mar 2004
Linux NetwosixAffected-25 Mar 2004
MandrakeSoftAffected10 Mar 200425 Mar 2004
Openwall GNU/*/LinuxAffected10 Mar 200425 Mar 2004
Red Hat Inc.Affected10 Mar 200411 Mar 2004
SGIAffected10 Mar 200425 Mar 2004
SlackwareAffected-25 Mar 2004
SmoothWallAffected-11 Mar 2004
Sun Microsystems Inc.Affected10 Mar 200425 Mar 2004
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was researched and reported by Paul Starzetz of iSEC.

This document was written by Art Manion.

Other Information

  • CVE IDs: CAN-2004-0077
  • Date Public: 18 Feb 2004
  • Date First Published: 10 Mar 2004
  • Date Last Updated: 25 Mar 2004
  • Severity Metric: 26.52
  • Document Revision: 26

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.