SkipNavigation
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric



 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#981222

Linux kernel mremap(2) system call does not properly check return value from do_munmap() function

Overview

A vulnerability in the Linux mremap(2) system call could allow an authenticated, local attacker to execute arbitrary code with root privileges.

I. Description

The Linux kernel uses a linked list of vitrual memory area (VMA) descriptors to reference valid regions of the page table for a given process. VMA descriptors include information about the memory area such as start address, length, and page protection flags. A VMA effectively contains a range of page table entries (PTEs) that make up part of the page table.

The mremap(2) system call has the ability to resize or move a VMA or part of a VMA within a process' memory space. mremap(2) contains a function called do_munmap() that is used to unmap regions of memory during resize or move operations. There is a limit on the number of VMA descriptors that can exist at one time, and do_munmap() does not create a new VMA descriptor if doing so would exceed this limit.

In certain cases, mremap(2) does not properly check the return value from the do_munmap() function, and will map PTEs to new locations even though the expected VMAs have not been created or updated. By carefully manipulating VMA to PTE relationships, a local attacker can read from or write to memory owned by a process running with different privileges.

Further technical details are available in an advisory from iSEC. Note that this vulnerability is distinct from the one described in VU#490620/CAN-2003-0985.

II. Impact

An authenticated, local attacker could execute arbitrary code with root privileges.

III. Solution

Patch or Upgrade


Apply a patch or upgrade as specified by your vendor. This issue is resolved in Linux kernels 2.2.26, 2.4.25, and 2.6.3 from the Linux Kernel Archives.

Systems Affected

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Not Vulnerable11-Mar-2004
AstaroVulnerable25-Mar-2004
ConectivaVulnerable11-Mar-2004
Cray Inc.Unknown11-Mar-2004
DebianVulnerable11-Mar-2004
EMC CorporationUnknown11-Mar-2004
Fedora Legacy ProjectVulnerable25-Mar-2004
Fedora ProjectVulnerable25-Mar-2004
FreeBSDUnknown11-Mar-2004
FujitsuNot Vulnerable25-Mar-2004
Gentoo LinuxVulnerable11-Mar-2004
Guardian Digital Inc. Unknown11-Mar-2004
Hewlett-Packard CompanyUnknown11-Mar-2004
HitachiUnknown11-Mar-2004
IBMUnknown25-Mar-2004
Ingrian NetworksUnknown11-Mar-2004
Juniper NetworksUnknown11-Mar-2004
Linux Kernel ArchivesVulnerable10-Mar-2004
Linux NetwosixVulnerable25-Mar-2004
MandrakeSoftVulnerable25-Mar-2004
MontaVista SoftwareUnknown11-Mar-2004
NEC CorporationUnknown11-Mar-2004
NetBSDNot Vulnerable25-Mar-2004
NokiaUnknown11-Mar-2004
NovellUnknown11-Mar-2004
OpenBSDUnknown11-Mar-2004
Openwall GNU/*/LinuxVulnerable25-Mar-2004
Red Hat Inc.Vulnerable11-Mar-2004
SCOUnknown11-Mar-2004
SequentUnknown11-Mar-2004
SGIVulnerable25-Mar-2004
SlackwareVulnerable25-Mar-2004
SmoothWallVulnerable11-Mar-2004
Sony CorporationUnknown11-Mar-2004
Sun Microsystems Inc.Vulnerable25-Mar-2004
SuSE Inc.Vulnerable11-Mar-2004
TrustixVulnerable11-Mar-2004
TurboLinuxVulnerable11-Mar-2004
UnisysUnknown11-Mar-2004
Wind River Systems Inc.Unknown11-Mar-2004
WirexVulnerable11-Mar-2004

References


http://www.kernel.org/
http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt
http://www.securityfocus.com/archive/1/354284
http://www.securityfocus.com/archive/1/355781
http://www.securityfocus.com/bid/9686
http://xforce.iss.net/xforce/xfdb/15244
http://secunia.com/advisories/10897/

Credit

This vulnerability was researched and reported by Paul Starzetz of iSEC.

This document was written by Art Manion.

Other Information

Date Public:2004-02-18
Date First Published:2004-03-10
Date Last Updated:2004-03-25
CERT Advisory: 
CVE-ID(s):CAN-2004-0077
NVD-ID(s):CAN-2004-0077
US-CERT Technical Alerts: 
Metric:26.52
Document Revision:26

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader