CVE-2010-2240
Published: 17 August 2010
The do_anonymous_page function in mm/memory.c in the Linux kernel before 2.6.27.52, 2.6.32.x before 2.6.32.19, 2.6.34.x before 2.6.34.4, and 2.6.35.x before 2.6.35.2 does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X.Org X server.
From the Ubuntu Security Team
Gael Delalleu, Rafal Wojtczuk, and Brad Spengler discovered that the memory manager did not properly handle when applications grow stacks into adjacent memory regions. A local attacker could exploit this to gain control of certain applications, potentially leading to privilege escalation, as demonstrated in attacks against the X server.
Notes
Author | Note |
---|---|
smb | There seem to be three follow-up patches upstream (one of them is not CCed to stable, but should be (gets fixed up actually)). |
jdstrand | caused regression in Xen on hardy |
Priority
Status
References
- http://www.invisiblethingslab.com/resources/misc-2010/xorg-large-memory-attacks.pdf
- https://ubuntu.com/security/notices/USN-974-1
- https://ubuntu.com/security/notices/USN-974-2
- https://ubuntu.com/security/notices/USN-1074-1
- https://www.cve.org/CVERecord?id=CVE-2010-2240
- NVD
- Launchpad
- Debian