CVE-2010-4258

Published: 30 December 2010

The do_exit function in kernel/exit.c in the Linux kernel before 2.6.36.2 does not properly handle a KERNEL_DS get_fs value, which allows local users to bypass intended access_ok restrictions, overwrite arbitrary kernel memory locations, and gain privileges by leveraging a (1) BUG, (2) NULL pointer dereference, or (3) page fault, as demonstrated by vectors involving the clear_child_tid feature and the splice system call.

From the Ubuntu security team

Nelson Elhage discovered that the kernel did not correctly handle process cleanup after triggering a recoverable kernel bug. If a local attacker were able to trigger certain kinds of kernel bugs, they could create a specially crafted process to gain root privileges.

Priority

Medium

Status

Package Release Status
linux
Launchpad, Ubuntu, Debian
Upstream
Released (2.6.37~rc5)
Patches:
Upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=33dd94ae1ccbfb7bf0fb6c692bc3d1c4269e6177
linux-ec2
Launchpad, Ubuntu, Debian
Upstream
Released (2.6.37~rc5)
linux-fsl-imx51
Launchpad, Ubuntu, Debian
Upstream
Released (2.6.37~rc5)
linux-lts-backport-maverick
Launchpad, Ubuntu, Debian
Upstream
Released (2.6.37~rc5)
linux-lts-backport-natty
Launchpad, Ubuntu, Debian
Upstream
Released (2.6.37~rc5)
linux-mvl-dove
Launchpad, Ubuntu, Debian
Upstream
Released (2.6.37~rc5)
linux-source-2.6.15
Launchpad, Ubuntu, Debian
Upstream
Released (2.6.37~rc5)
linux-ti-omap4
Launchpad, Ubuntu, Debian
Upstream
Released (2.6.37~rc5)