Another bug in the Kernel’s do_mremap() function, which is unrelated to the bug fixed in SuSE-SA:2004:001, was found by Paul Starzetz. The do_mremap() function of the Linux Kernel is used to manage Virtual Memory Areas (VMAs) which includes moving, removing and resizing of memory areas. To remove old memory areas do_mremap() uses the function du_munmap() without checking the return value. By forcing do_munmap() to return an error the memory management of a process can be tricked into moving page table entries from one VMA to another. The destination VMA may be protected by a different ACL which enables a local attacker to gain write access to previous read-only pages. The result will be local root access to the system.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
openSUSE | 9.0 | i586 | kernel-source | < 2.4.21-192 | kernel-source-2.4.21-192.i586.rpm |
openSUSE | 8.1 | i586 | k_smp | < 2.4.21-189 | k_smp-2.4.21-189.i586.rpm |
openSUSE | 8.1 | i586 | k_psmp | < 2.4.21-189 | k_psmp-2.4.21-189.i586.rpm |
openSUSE | 8.2 | i586 | k_psmp | < 2.4.20-105 | k_psmp-2.4.20-105.i586.rpm |
openSUSE | 9.0 | i586 | k_um | < 2.4.21-192 | k_um-2.4.21-192.i586.rpm |
openSUSE | 9.0 | x86_64 | kernel-source | < 2.4.21-201 | kernel-source-2.4.21-201.x86_64.rpm |
openSUSE | 8.1 | i586 | k_deflt | < 2.4.21-189 | k_deflt-2.4.21-189.i586.rpm |
openSUSE | 9.0 | i586 | k_athlon | < 2.4.21-192 | k_athlon-2.4.21-192.i586.rpm |
openSUSE | 9.0 | i586 | k_smp | < 2.4.21-192 | k_smp-2.4.21-192.i586.rpm |
openSUSE | 8.2 | i586 | kernel-source | < 2.4.20.SuSE-104 | kernel-source-2.4.20.SuSE-104.i586.rpm |