A vulnerability in the Linux mremap(2) system call could allow an authenticated, local attacker to execute arbitrary code with root privileges.
The Linux kernel uses a linked list of vitrual memory area (VMA) descriptors to reference valid regions of the page table for a given process. VMA descriptors include information about the memory area such as start address, length, and page protection flags. A VMA effectively contains a range of page table entries (PTEs) that make up part of the page table.
The mremap(2) system call has the ability to resize or move a VMA or part of a VMA within a process' memory space. mremap(2) contains a function called do_munmap() that is used to unmap regions of memory during resize or move operations. There is a limit on the number of VMA descriptors that can exist at one time, and do_munmap() does not create a new VMA descriptor if doing so would exceed this limit.
An authenticated, local attacker could execute arbitrary code with root privileges.
Fedora Legacy Project Affected
Fedora Project Affected
Gentoo Linux Affected
Linux Kernel Archives Affected
Linux Netwosix Affected
Openwall GNU/*/Linux Affected
Red Hat Inc. Affected
SuSE Inc. Affected
Sun Microsystems Inc. Affected
Apple Computer Inc. Not Affected
Fujitsu Not Affected
NetBSD Not Affected
Cray Inc. Unknown
EMC Corporation Unknown
Guardian Digital Inc. Unknown
Hewlett-Packard Company Unknown
Ingrian Networks Unknown
Juniper Networks Unknown
MontaVista Software Unknown
NEC Corporation Unknown
Sony Corporation Unknown
Wind River Systems Inc. Unknown
This vulnerability was researched and reported by Paul Starzetz of iSEC.
This document was written by Art Manion.
|Date First Published:||2004-03-10|
|Date Last Updated:||2004-03-25 17:10 UTC|