From: SecuriTeam <support@securiteam.com.>
To: list@securiteam.com
Date: 11 Jun 2007 09:57:24 +0200
Subject: [UNIX] Linux Kernel cpuset tasks Information Disclosure Vulnerability
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20070611071230.E0183573F@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Linux Kernel cpuset tasks Information Disclosure Vulnerability
------------------------------------------------------------------------
SUMMARY
Linux is "a clone of the UNIX operating system, written from scratch by
Linus Torvalds with assistance from a loosely-knit team of hackers across
the Internet. The cpuset functionality allows process to be assigned to
processors on multi-processor machines".
Local exploitation of an information disclosure vulnerability within the
Linux Kernel allows attackers to obtain sensitive information from kernel
memory.
DETAILS
Vulnerable Systems:
* Linux Kernel version 2.6.20 installed with Fedora CORE 6.
* It is suspected that previous versions, at least until 2.6.12, are also
vulnerable.
This vulnerability specifically exists in the "cpuset_tasks_read"
function. This function is responsible for supplying user-land processes
with data when they read from the /dev/cpuset/tasks file. The code excerpt
below shows the problem area.
1754 if (*ppos + nbytes > ctr->bufsz)
1755 nbytes = ctr->bufsz - *ppos;
1756 if (copy_to_user(buf, ctr->buf + *ppos, nbytes))
By reading from an offset (*ppos) larger than the contents of the file, an
attacker can cause an integer underflow to occur in the subtraction on
line 1755. This will result in the "copy_to_user" function on line 1756 to
be called with a memory address located at a lower address than the start
of the intended buffer. This memory could potentially contain sensitive
information such as security tokens or passwords.
Exploitation of this vulnerability allows attackers to obtain sensitive
information from kernel memory.
In order to exploit this vulnerability, an attacker would need access to
open the /dev/cpuset/tasks file. It is important to note that this file
does not exist unless the cpuset file system has been mounted.
Additionally, this functionality is not included by default in a vanilla
kernel build.
Furthermore, because of checks at the VFS layer and in the
'copy_to_user()' function, an attacker cannot use arbitrary values.
However, on 32-bit systems it is easily exploitable.
Workaround:
In order to prevent exploitation of this vulnerability, discontinue use of
the cpuset file system. This can be accomplished by un-mounting the file
system using the "umount" command.
Vendor Status:
The Linux kernel team has released versions 2.6.20.13 and 2.6.21.4 to
address this vulnerability. More information can be found via the
following URLs.
<http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.13>;
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.13
<http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.21.4>;
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.21.4
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2875>;
CVE-2007-2875
Disclosure Timeline:
* 04/27/2007 - Initial vendor notification
* 06/04/2007 - Second vendor notification
* 06/04/2007 - Initial vendor response
* 06/07/2007 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by iDefense.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=541>;
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=541
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
