The do_mremap() function of the Linux Kernel is used to manage (move, resize) Virtual Memory Areas (VMAs). By exploiting an incorrect bounds check in do_mremap() during the remapping of memory it is possible to create a VMA with the size of 0. In normal operation do_mremap() leaves a memory hole of one page and creates an additional VMA of two pages. In case of exploitation no hole is created but the new VMA has a 0 bytes length. The Linux Kernel’s memory management is corrupted from this point and can be abused by local users to gain root privileges.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
openSUSE | 8.1 | i586 | k_athlon | < 2.4.21-168 | k_athlon-2.4.21-168.i586.rpm |
openSUSE | 9.0 | i586 | k_um | < 2.4.21-166 | k_um-2.4.21-166.i586.rpm |
openSUSE | 9.0 | x86_64 | kernel-source | < 2.4.21-171 | kernel-source-2.4.21-171.x86_64.rpm |
openSUSE | 9.0 | i586 | k_smp4g | < 2.4.21-166 | k_smp4G-2.4.21-166.i586.rpm |
openSUSE | 8.0 | i386 | k_i386 | < 2.4.18-282 | k_i386-2.4.18-282.i386.rpm |
openSUSE | 8.1 | i586 | k_smp | < 2.4.21-168 | k_smp-2.4.21-168.i586.rpm |
openSUSE | 8.1 | i586 | k_deflt | < 2.4.21-168 | k_deflt-2.4.21-168.i586.rpm |
openSUSE | 9.0 | i586 | k_deflt | < 2.4.21-166 | k_deflt-2.4.21-166.i586.rpm |
openSUSE | 8.0 | i386 | kernel-source | < 2.4.18.SuSE-282 | kernel-source-2.4.18.SuSE-282.i386.rpm |
openSUSE | 8.0 | i386 | k_psmp | < 2.4.18-282 | k_psmp-2.4.18-282.i386.rpm |