CVE-2010-2240

Published: 17 August 2010

The do_anonymous_page function in mm/memory.c in the Linux kernel before 2.6.27.52, 2.6.32.x before 2.6.32.19, 2.6.34.x before 2.6.34.4, and 2.6.35.x before 2.6.35.2 does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X.Org X server.

From the Ubuntu security team

Gael Delalleu, Rafal Wojtczuk, and Brad Spengler discovered that the memory manager did not properly handle when applications grow stacks into adjacent memory regions. A local attacker could exploit this to gain control of certain applications, potentially leading to privilege escalation, as demonstrated in attacks against the X server.

Priority

Medium

Status

Package Release Status
linux
Launchpad, Ubuntu, Debian
Upstream
Released (2.6.36~rc1)
Patches:
Upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=320b2b8de12698082609ebbc1a17165727f4c893
Upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=5528f9132cf65d4d892bcbc5684c61e7822b21e9
Upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=11ac552477e32835cb6970bf0a70c210807f5673
Upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d7824370e26325c881b665350ce64fb0a4fde24a
Upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=96054569190bdec375fe824e48ca1f4e3b53dd36
Hardy: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/hardy/linux/0001-mm-keep-a-guard-page-below-a-grow-down-stack-segment.txt
Hardy: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/hardy/linux/0002-mm-fix-missing-page-table-unmap-for-stack-guard-page-f.txt
Hardy: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/hardy/linux/0003-mm-fix-page-table-unmap-for-stack-guard-page-properly.txt
Hardy: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/hardy/linux/0004-mm-fix-up-some-user-visible-effects-of-the-stack-guard.txt
Hardy: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/hardy/linux/0005-x86-don-t-send-SIGBUS-for-kernel-page-faults.txt
Hardy: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/hardy/linux/0006-mm-pass-correct-mm-when-growing-stack.txt
Hardy: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/hardy/linux/0007-OPENVZ-Fixup-patches-to-memory.c-and-mlock.c.txt
Jaunty: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/jaunty/linux/0001-mm-keep-a-guard-page-below-a-grow-down-stack-segment.txt
Jaunty: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/jaunty/linux/0002-mm-fix-missing-page-table-unmap-for-stack-guard-page-f.txt
Jaunty: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/jaunty/linux/0003-mm-fix-page-table-unmap-for-stack-guard-page-properly.txt
Jaunty: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/jaunty/linux/0004-mm-fix-up-some-user-visible-effects-of-the-stack-guard.txt
Jaunty: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/jaunty/linux/0005-x86-don-t-send-SIGBUS-for-kernel-page-faults.txt
Karmic: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/karmic/linux/0001-mm-keep-a-guard-page-below-a-grow-down-stack-segment.txt
Karmic: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/karmic/linux/0002-mm-fix-missing-page-table-unmap-for-stack-guard-page-f.txt
Karmic: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/karmic/linux/0003-mm-fix-page-table-unmap-for-stack-guard-page-properly.txt
Karmic: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/karmic/linux/0004-mm-fix-up-some-user-visible-effects-of-the-stack-guard.txt
Karmic: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/karmic/linux/0005-x86-don-t-send-SIGBUS-for-kernel-page-faults.txt
Lucid: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/lucid/linux/0001-mm-keep-a-guard-page-below-a-grow-down-stack-segment.txt
Lucid: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/lucid/linux/0002-mm-fix-missing-page-table-unmap-for-stack-guard-page-f.txt
Lucid: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/lucid/linux/0003-mm-fix-page-table-unmap-for-stack-guard-page-properly.txt
Lucid: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/lucid/linux/0004-mm-fix-up-some-user-visible-effects-of-the-stack-guard.txt
Lucid: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/lucid/linux/0005-x86-don-t-send-SIGBUS-for-kernel-page-faults.txt
linux-ec2
Launchpad, Ubuntu, Debian
Upstream
Released (2.6.36~rc1)
linux-fsl-imx51
Launchpad, Ubuntu, Debian
Upstream
Released (2.6.36~rc1)
linux-mvl-dove
Launchpad, Ubuntu, Debian
Upstream
Released (2.6.36~rc1)
linux-source-2.6.15
Launchpad, Ubuntu, Debian
Upstream
Released (2.6.36~rc1)
Patches:
Dapper: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/dapper/linux/0001-mm-keep-a-guard-page-below-a-grow-down-stack-segment.txt
Dapper: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/dapper/linux/0002-mm-fix-missing-page-table-unmap-for-stack-guard-page-f.txt
Dapper: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/dapper/linux/0003-mm-fix-page-table-unmap-for-stack-guard-page-properly.txt
Dapper: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/dapper/linux/0004-mm-fix-up-some-user-visible-effects-of-the-stack-guard.txt
Dapper: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/dapper/linux/0005-x86-don-t-send-SIGBUS-for-kernel-page-faults.txt
Dapper: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/dapper/linux/0006-mm-pass-correct-mm-when-growing-stack.txt