Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2010-2240

Published: 17 August 2010

The do_anonymous_page function in mm/memory.c in the Linux kernel before 2.6.27.52, 2.6.32.x before 2.6.32.19, 2.6.34.x before 2.6.34.4, and 2.6.35.x before 2.6.35.2 does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X.Org X server.

From the Ubuntu Security Team

Gael Delalleu, Rafal Wojtczuk, and Brad Spengler discovered that the memory manager did not properly handle when applications grow stacks into adjacent memory regions. A local attacker could exploit this to gain control of certain applications, potentially leading to privilege escalation, as demonstrated in attacks against the X server.

Notes

AuthorNote
smb
There seem to be three follow-up patches upstream (one of them is not
CCed to stable, but should be (gets fixed up actually)).
jdstrand
caused regression in Xen on hardy

Priority

Medium

Status

Package Release Status
linux
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy
Released (2.6.24-28.75)
jaunty
Released (2.6.28-19.64)
karmic
Released (2.6.31-22.63)
lucid
Released (2.6.32-24.41)
maverick
Released (2.6.35-16.22)
upstream
Released (2.6.36~rc1)
Patches:
upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=320b2b8de12698082609ebbc1a17165727f4c893
upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=5528f9132cf65d4d892bcbc5684c61e7822b21e9
upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=11ac552477e32835cb6970bf0a70c210807f5673
upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d7824370e26325c881b665350ce64fb0a4fde24a
upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=96054569190bdec375fe824e48ca1f4e3b53dd36
hardy: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/hardy/linux/0001-mm-keep-a-guard-page-below-a-grow-down-stack-segment.txt
hardy: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/hardy/linux/0002-mm-fix-missing-page-table-unmap-for-stack-guard-page-f.txt
hardy: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/hardy/linux/0003-mm-fix-page-table-unmap-for-stack-guard-page-properly.txt
hardy: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/hardy/linux/0004-mm-fix-up-some-user-visible-effects-of-the-stack-guard.txt
hardy: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/hardy/linux/0005-x86-don-t-send-SIGBUS-for-kernel-page-faults.txt
hardy: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/hardy/linux/0006-mm-pass-correct-mm-when-growing-stack.txt
hardy: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/hardy/linux/0007-OPENVZ-Fixup-patches-to-memory.c-and-mlock.c.txt
jaunty: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/jaunty/linux/0001-mm-keep-a-guard-page-below-a-grow-down-stack-segment.txt
jaunty: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/jaunty/linux/0002-mm-fix-missing-page-table-unmap-for-stack-guard-page-f.txt
jaunty: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/jaunty/linux/0003-mm-fix-page-table-unmap-for-stack-guard-page-properly.txt
jaunty: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/jaunty/linux/0004-mm-fix-up-some-user-visible-effects-of-the-stack-guard.txt
jaunty: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/jaunty/linux/0005-x86-don-t-send-SIGBUS-for-kernel-page-faults.txt
karmic: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/karmic/linux/0001-mm-keep-a-guard-page-below-a-grow-down-stack-segment.txt
karmic: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/karmic/linux/0002-mm-fix-missing-page-table-unmap-for-stack-guard-page-f.txt
karmic: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/karmic/linux/0003-mm-fix-page-table-unmap-for-stack-guard-page-properly.txt
karmic: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/karmic/linux/0004-mm-fix-up-some-user-visible-effects-of-the-stack-guard.txt
karmic: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/karmic/linux/0005-x86-don-t-send-SIGBUS-for-kernel-page-faults.txt
lucid: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/lucid/linux/0001-mm-keep-a-guard-page-below-a-grow-down-stack-segment.txt
lucid: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/lucid/linux/0002-mm-fix-missing-page-table-unmap-for-stack-guard-page-f.txt
lucid: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/lucid/linux/0003-mm-fix-page-table-unmap-for-stack-guard-page-properly.txt
lucid: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/lucid/linux/0004-mm-fix-up-some-user-visible-effects-of-the-stack-guard.txt
lucid: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/lucid/linux/0005-x86-don-t-send-SIGBUS-for-kernel-page-faults.txt






linux-ec2
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy Does not exist

karmic
Released (2.6.31-307.17)
lucid
Released (2.6.32-308.15)
maverick Ignored
(end of life)
upstream
Released (2.6.36~rc1)
linux-fsl-imx51
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy Does not exist

karmic
Released (2.6.31-112.30)
lucid
Released (2.6.31-608.19)
maverick Does not exist

upstream
Released (2.6.36~rc1)
linux-mvl-dove
Launchpad, Ubuntu, Debian
upstream
Released (2.6.36~rc1)
dapper Does not exist

hardy Does not exist

karmic
Released (2.6.31-214.30)
lucid
Released (2.6.32-208.24)
maverick Not vulnerable

linux-source-2.6.15
Launchpad, Ubuntu, Debian
dapper
Released (2.6.15-55.87)
hardy Does not exist

jaunty Does not exist

karmic Does not exist

lucid Does not exist

maverick Does not exist

upstream
Released (2.6.36~rc1)
Patches:



























dapper: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/dapper/linux/0001-mm-keep-a-guard-page-below-a-grow-down-stack-segment.txt
dapper: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/dapper/linux/0002-mm-fix-missing-page-table-unmap-for-stack-guard-page-f.txt
dapper: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/dapper/linux/0003-mm-fix-page-table-unmap-for-stack-guard-page-properly.txt
dapper: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/dapper/linux/0004-mm-fix-up-some-user-visible-effects-of-the-stack-guard.txt
dapper: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/dapper/linux/0005-x86-don-t-send-SIGBUS-for-kernel-page-faults.txt
dapper: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2240/patches/dapper/linux/0006-mm-pass-correct-mm-when-growing-stack.txt