CVE-2010-4258

Published: 30 December 2010

The do_exit function in kernel/exit.c in the Linux kernel before 2.6.36.2 does not properly handle a KERNEL_DS get_fs value, which allows local users to bypass intended access_ok restrictions, overwrite arbitrary kernel memory locations, and gain privileges by leveraging a (1) BUG, (2) NULL pointer dereference, or (3) page fault, as demonstrated by vectors involving the clear_child_tid feature and the splice system call.

From the Ubuntu security team

Nelson Elhage discovered that the kernel did not correctly handle process cleanup after triggering a recoverable kernel bug. If a local attacker were able to trigger certain kinds of kernel bugs, they could create a specially crafted process to gain root privileges.

Priority

Medium

Status

Package Release Status
linux
Launchpad, Ubuntu, Debian 		Upstream
Released (2.6.37~rc5)
Patches:
Upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=33dd94ae1ccbfb7bf0fb6c692bc3d1c4269e6177
linux-ec2
Launchpad, Ubuntu, Debian 		Upstream
Released (2.6.37~rc5)
linux-fsl-imx51
Launchpad, Ubuntu, Debian 		Upstream
Released (2.6.37~rc5)
linux-lts-backport-maverick
Launchpad, Ubuntu, Debian 		Upstream
Released (2.6.37~rc5)
linux-lts-backport-natty
Launchpad, Ubuntu, Debian 		Upstream
Released (2.6.37~rc5)
linux-mvl-dove
Launchpad, Ubuntu, Debian 		Upstream
Released (2.6.37~rc5)
linux-source-2.6.15
Launchpad, Ubuntu, Debian 		Upstream
Released (2.6.37~rc5)
linux-ti-omap4
Launchpad, Ubuntu, Debian 		Upstream
Released (2.6.37~rc5)

References

Bugs

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading