search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Linux kernel mremap(2) system call does not properly check return value from do_munmap() function

Vulnerability Note VU#981222

Original Release Date: 2004-03-10 | Last Revised: 2004-03-25

Overview

A vulnerability in the Linux mremap(2) system call could allow an authenticated, local attacker to execute arbitrary code with root privileges.

Description

The Linux kernel uses a linked list of vitrual memory area (VMA) descriptors to reference valid regions of the page table for a given process. VMA descriptors include information about the memory area such as start address, length, and page protection flags. A VMA effectively contains a range of page table entries (PTEs) that make up part of the page table.

The mremap(2) system call has the ability to resize or move a VMA or part of a VMA within a process' memory space. mremap(2) contains a function called do_munmap() that is used to unmap regions of memory during resize or move operations. There is a limit on the number of VMA descriptors that can exist at one time, and do_munmap() does not create a new VMA descriptor if doing so would exceed this limit.

In certain cases, mremap(2) does not properly check the return value from the do_munmap() function, and will map PTEs to new locations even though the expected VMAs have not been created or updated. By carefully manipulating VMA to PTE relationships, a local attacker can read from or write to memory owned by a process running with different privileges.

Further technical details are available in an advisory from iSEC. Note that this vulnerability is distinct from the one described in VU#490620/CAN-2003-0985.

Impact

An authenticated, local attacker could execute arbitrary code with root privileges.

Solution

Patch or Upgrade

Apply a patch or upgrade as specified by your vendor. This issue is resolved in Linux kernels 2.2.26, 2.4.25, and 2.6.3 from the Linux Kernel Archives.

Vendor Information

981222
Expand all

Astaro

Updated:  March 25, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Up2Date 4.021 #35996.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva

Notified:  March 10, 2004 Updated:  March 11, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see CLSA-2004:820.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  March 10, 2004 Updated:  March 11, 2004

Status

  Vulnerable

Vendor Statement

We have fixed this problem for our various kernels in the following advisories:

http://www.debian.org/security/2004/dsa-456
http://www.debian.org/security/2004/dsa-454
http://www.debian.org/security/2004/dsa-453
http://www.debian.org/security/2004/dsa-450
http://www.debian.org/security/2004/dsa-444
http://www.debian.org/security/2004/dsa-442
http://www.debian.org/security/2004/dsa-440
http://www.debian.org/security/2004/dsa-439
http://www.debian.org/security/2004/dsa-441
http://www.debian.org/security/2004/dsa-438

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fedora Legacy Project

Updated:  March 25, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see FLSA:1284.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fedora Project

Updated:  March 25, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see FEDORA-2004-080.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux

Updated:  March 11, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see GLSA 200403-02.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Linux Kernel Archives

Updated:  March 10, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This issue is resolved in Linux kernels 2.2.26, 2.4.25, and 2.6.3.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Linux Netwosix

Updated:  March 25, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see LNSA-#2004-0003.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Notified:  March 10, 2004 Updated:  March 25, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see MDKSA-2004:015 and MDKSA-2004:015-1.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux

Notified:  March 10, 2004 Updated:  March 25, 2004

Status

  Vulnerable

Vendor Statement

No supported release of Openwall GNU/*/Linux (Owl) was affected by this vulnerability as of the time it was made public. We had the bug proactively fixed in Owl 1.1 release (Linux kernel 2.4.23-ow2), not realizing its full security impact at the time.

Although those are no longer a part of Owl (not in Owl 1.1), we continue to maintain security hardening patches for Linux 2.2.x kernels and make them available for the public. Linux 2.2.x was affected by a variation of this vulnerability and thus, as a service to the community, we had included a workaround in Linux 2.2.25-ow2 patch. Linux 2.2.26 now includes the same change.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc.

Notified:  March 10, 2004 Updated:  March 11, 2004

Status

  Vulnerable

Vendor Statement

Updates to correct this issue were made available for Red Hat Linux and Red Hat Enterprise Linux. Users of the Red Hat Network can update their systems using the 'up2date' tool.

Red Hat Linux 9:

Red Hat Enterprise Linux 3:
Red Hat Enterprise Linux 2.1:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  March 10, 2004 Updated:  March 25, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see 20040204-01-U.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Slackware

Updated:  March 25, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see SSA:2004-049-01.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SmoothWall

Updated:  March 11, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see SWL-2004:002.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc.

Notified:  March 10, 2004 Updated:  March 11, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see SuSE-SA:2004:005.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc.

Notified:  March 10, 2004 Updated:  March 25, 2004

Status

  Vulnerable

Vendor Statement

The following Sun products are vulnerable.

Java Desktop System Version 2003.

A patch is available to customers via the on-line update mechanism in JDS. Please see http://wwws.sun.com/software/javadesktopsystem/update/index.html for further details.

Sun Cobalt legacy products:

RaQ4
RaQXTR
Qube3
RaQ550

Sun will be publishing Sun Alerts for this issue which will be available from the following location:

http://sunsolve.Sun.COM/pub-cgi/search.pl?mode=results&so=date&coll=fsalert&zone_32=category:security

The Sun Alerts will be updated with the patch information as soon as patches are available.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix

Updated:  March 11, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see TSLSA-2004-0007 (Trustix 2.0, kernel 2.4.24) and TSLSA-2004-0008 (Trustix 1.5, kernel 2.2.25).

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TurboLinux

Notified:  March 10, 2004 Updated:  March 11, 2004

Status

  Vulnerable

Vendor Statement

This Vulnerability is fixed by TLSA-2004-7.

Please refer to
http://www.turbolinux.com/security/2004/TLSA-2004-7.txt

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wirex

Notified:  March 10, 2004 Updated:  March 11, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see IMNX-2004-7+-001-01.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer Inc.

Notified:  March 10, 2004 Updated:  March 11, 2004

Status

  Not Vulnerable

Vendor Statement

Apple: Not Vulnerable

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  March 10, 2004 Updated:  March 25, 2004

Status

  Not Vulnerable

Vendor Statement

Fujitsu's UXP/V o.s. is not affected by the problem in VU#981222 because it does not support the mremap.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  March 10, 2004 Updated:  March 25, 2004

Status

  Not Vulnerable

Vendor Statement

NetBSD is not affected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc.

Updated:  March 11, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

EMC Corporation

Updated:  March 11, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Updated:  March 11, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Guardian Digital Inc.

Updated:  March 11, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Updated:  March 11, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hitachi

Updated:  March 11, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  March 10, 2004 Updated:  March 25, 2004

Status

  Unknown

Vendor Statement

IBM eServer Platform Response

For information related to this and other published CERT Advisories that may relate to the IBM eServer Platforms (xSeries, iSeries, pSeries, and zSeries) please go to https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/security=alerts?OpenDocument&pathID=

In order to access this information you will require a Resource Link ID. To subscribe to Resource Link go to http://app-06.www.ibm.com/servers/resourcelink and follow the steps for registration.

All questions should be reffered to servsec@us.ibm.com.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks

Updated:  March 11, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks

Updated:  March 11, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software

Updated:  March 11, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Updated:  March 11, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nokia

Updated:  March 11, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Novell

Updated:  March 11, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Updated:  March 11, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO

Updated:  March 11, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent

Updated:  March 11, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Updated:  March 11, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Updated:  March 11, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems Inc.

Updated:  March 11, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was researched and reported by Paul Starzetz of iSEC.

This document was written by Art Manion.

Other Information

CVE IDs: CVE-2004-0077
Severity Metric: 26.52
Date Public: 2004-02-18
Date First Published: 2004-03-10
Date Last Updated: 2004-03-25 17:10 UTC
Document Revision: 26

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.