Vulnerability Note VU#981222

The Linux kernel uses a linked list of vitrual memory area (VMA) descriptors to reference valid regions of the page table for a given process. VMA descriptors include information about the memory area such as start address, length, and page protection flags. A VMA effectively contains a range of page table entries (PTEs) that make up part of the page table.

The mremap(2) system call has the ability to resize or move a VMA or part of a VMA within a process' memory space. mremap(2) contains a function called do_munmap() that is used to unmap regions of memory during resize or move operations. There is a limit on the number of VMA descriptors that can exist at one time, and do_munmap() does not create a new VMA descriptor if doing so would exceed this limit.

In certain cases, mremap(2) does not properly check the return value from the do_munmap() function, and will map PTEs to new locations even though the expected VMAs have not been created or updated. By carefully manipulating VMA to PTE relationships, a local attacker can read from or write to memory owned by a process running with different privileges.

Further technical details are available in an advisory from iSEC. Note that this vulnerability is distinct from the one described in VU#490620/CAN-2003-0985.

An authenticated, local attacker could execute arbitrary code with root privileges.

Patch or Upgrade

Apply a patch or upgrade as specified by your vendor. This issue is resolved in Linux kernels 2.2.26, 2.4.25, and 2.6.3 from the Linux Kernel Archives.