--get your your Linux knowledge
> Linux Reviews > News and headlines > 2004 News archive > August >

Linux kernel security vulnerability affecting 2.4 up to 2.6.7 kernels found in the code handling 64bit file offset pointers

Ipsec has found a flaw that allows any user with normal privileges to read and dump large parts of the kernel memory and thereby, in a worst case scenario, obtain the root password.

Apparently, most of the entries in the /proc filesystem can be used to leak a page of initialized kernel memory. This requires the the file position to be set to a negative value, thereby bypassing checks that would prevent unauthorized access to kernel memory space.

A negative value can be archived by using two threads sharing the same VM. The first thread maps a large file and thereby sets a flag called madvise to the status WILLNEED. This will make the kernel issue a down_write, thereby scheduling a read-ahead request for a memory mapped file in /proc. The second thread issues a read request on /proc, then sleeps until the first thread is done with the madvise call is done. The first thread is the one which will wake up first and it can now set the file pointer of the /proc file to the highest possible value. This makes the second thread poor out initialized memory.

A evil user must already have a normal user account on system or other means of running code in order to use this as part of an exploit. No special privileges are required.

Ipsec included "proof of concept" code demonstrating how the vulnerability can be used in their advisory. The advisory was issued 2004-08-04. There is no kernel patch or other means of protecting yourself against this.

Source: isec advisory 0016, "Linux kernel file offset pointer handling":

News and headlines

Meet new people