---

Home Security

Users urged to upgrade to latest Linux production kernel

By

Alan Cox
writes:

Linux 2.0.36 fixed various security holes as does any stable OS
update. Some of these may have equivalents in other systems, so
this documents the relevant ones now that every vendor should have
their kernel updates long out.

Overall:

  • If you have untrusted local users using 2.0.x x<36 there are
    denial of service attacks possible. If you actively use securelevel
    and append only files there is a possibility to write data over
    files a user has only append access too.
  • If you run masquerading there is a possible crash mended. I
    failed to succeed in causing it but its fixed nevertheless and its
    potentially exploitable.

The things of relevance we fixed

  • mmap on append only files has to be restricted to read maps.
    Linux 2.0.35 did this but it was possible to use mprotect() to then
    change the mapping to Read/write. 2.0.36 closes this hole.
  • readv/writev could crash. Linux uses “NULL” to indicate no
    method is available for unix read/write operations. The
    readv/writev calls neglected to check this. So a writev() to a
    device that has no write method crashes the program and may make a
    mess.
  • A fencepost error in the syscall return path. x86 syscall
    returns are fun because many things can fault in supervisor space
    if the user process did something stupid, or another thread does
    things like play with the local descriptor table between the call
    and return. The Linux kernel catches such faults and tidies up.
    There was a small range of code that it mistakenly considered as
    not part of the return path.
  • When interpreting PC partition tables there are a couple of
    places where you end up doing (something+1) and dividing by it. A
    partition table with 65535 listed for cylinders caused divide by
    zero errors.
  • An unchecked size/offset assumption in the masquerading code
    could in theory lead to a crash.

I wouldnt be suprised to see the mmap and partition table ones
in other OS’s but I doubt the readv/fencepost errors have any
obvious equivalence.

——

Vendor upgrade notes:

Red Hat Software:

http://www.redhat.com/support/docs/rhl/intel/kernel-upgrade-intel.html

No other vendor has bothered to reply to the original vendor-sec
request for comments on this message so far.

Complete Story
Previous article
Next article

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.