oss-sec mailing list archives
Re: CVE request - kernel: execve: must clear current->clear_child_tid
From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 18 Aug 2009 16:51:58 -0400 (EDT)
On Tue, 4 Aug 2009, Eugene Teo wrote:
The integer location is a user provided pointer, provided at clone() time. kernel keeps this pointer value into current->clear_child_tid. At execve() time, we should make sure kernel doesnt keep this user provided pointer, as full user memory is replaced by a new one. ... Patch is not in upstream kernel yet.
I assumed 2.6.30-rc6 and earlier at this stage. ====================================================== Name: CVE-2009-2848 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2848 Reference: MLIST:[linux-kernel] 20090801 [PATCH v2] execve: must clear current->clear_child_tid Reference: URL:http://article.gmane.org/gmane.linux.kernel/871942 Reference: MLIST:[oss-security] 20090804 CVE request - kernel: execve: must clear current->clear_child_tid Reference: URL:http://www.openwall.com/lists/oss-security/2009/08/04/2 Reference: MLIST:[oss-security] 20090805 Re: CVE request - kernel: execve: must clear current->clear_child_tid Reference: URL:http://www.openwall.com/lists/oss-security/2009/08/05/10 The execve function in the Linux kernel, possibly 2.6.30-rc6 and earlier, does not properly clear the current->clear_child_tid pointer, which allows local users to cause a denial of service (memory corruption) via a clone system call with CLONE_CHILD_SETTID or CLONE_CHILD_CLEARTID enabled, which is not properly handled during thread creation and exit.
Current thread:
- CVE request - kernel: execve: must clear current->clear_child_tid Eugene Teo (Aug 04)
- Re: CVE request - kernel: execve: must clear current->clear_child_tid Michael K. Johnson (Aug 05)
- Re: CVE request - kernel: execve: must clear current->clear_child_tid Steven M. Christey (Aug 18)
