Bug 71782 (CVE-2005-0736)

Summary: VUL-0: CVE-2005-0736: kernel: epoll allows to overwrite memory
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Marcus Meissner <meissner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-0736: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: mail with patch as attachment
exploit posted on full-disclosure

Description Ludwig Nussel 2005-03-09 11:20:34 UTC 
We received the following report via vendor-sec.
The issue is public.

Date: Tue, 8 Mar 2005 12:43:17 -0500
From: Alan Cox <alan@redhat.com>
To: vendor-sec@lst.de
Subject: [vendor-sec] [torvalds@osdl.org: [Security] epoll hole..]
User-Agent: Mutt/1.4.1i
X-Spam-Level: 

Linus security-list policy applies to this one. 


----- Forwarded message from Linus Torvalds <torvalds@osdl.org> -----

Date: Tue, 8 Mar 2005 09:29:24 -0800 (PST)
From: Linus Torvalds <torvalds@osdl.org>
To: Kernel security list <security@kernel.org>
X-Spam-Status: No, hits=-6.1 required=5.0
	tests=AWL,BAYES_01,PATCH_UNIFIED_DIFF,RCVD_IN_ORBS,
	      USER_AGENT_PINE
	version=2.55
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
X-MIMEDefang-Filter: osdl$Revision: 1.104 $
X-Scanned-By: MIMEDefang 2.36
Cc: 
Subject: [Security] epoll hole..
X-BeenThere: security@linux.kernel.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Linux kernel security bug reports <security.linux.kernel.org>
List-Unsubscribe: <http://linux.kernel.org/mailman/listinfo/security>,
	<mailto:security-request@linux.kernel.org?subject=unsubscribe>
List-Archive: <http://linux.kernel.org/mailman/private/security>
List-Post: <mailto:security@linux.kernel.org>
List-Help: <mailto:security-request@linux.kernel.org?subject=help>
List-Subscribe: <http://linux.kernel.org/mailman/listinfo/security>,
	<mailto:security-request@linux.kernel.org?subject=subscribe>
Errors-To: security-bounces@linux.kernel.org
X-RedHat-Spam-Score: 0 


This allows overwriting of the first few kB of physical memory on x86.

It usually doesn't actually contain anything (the first 4kB are left alone 
for dosemu etc to read the original 16-bit interrupt descriptors, and the 
rest is just about the last thing we ever allocate, so it's usually 
unused), but still..

Already in my tree, soon to be pushed out.

		Linus
----
# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
#   2005/03/08 08:18:50-08:00 torvalds@ppc970.osdl.org 
#   epoll: return proper error on overflow condition
#   
#   Noted by Georgi Guninski.
# 
# fs/eventpoll.c
#   2005/03/08 08:18:40-08:00 torvalds@ppc970.osdl.org +2 -1
#   epoll: return proper error on overflow condition
#   
#   Noted by Georgi Guninski.
# 
diff -Nru a/fs/eventpoll.c b/fs/eventpoll.c
--- a/fs/eventpoll.c	2005-03-08 09:24:04 -08:00
+++ b/fs/eventpoll.c	2005-03-08 09:24:04 -08:00
@@ -619,6 +619,7 @@
 	return error;
 }
 
+#define MAX_EVENTS (INT_MAX / sizeof(struct epoll_event))
 
 /*
  * Implement the event wait interface for the eventpoll file. It is the kernel
@@ -635,7 +636,7 @@
 		     current, epfd, events, maxevents, timeout));
 
 	/* The maximum number of event must be greater than zero */
-	if (maxevents <= 0)
+	if (maxevents <= 0 || maxevents > MAX_EVENTS)
 		return -EINVAL;
 
 	/* Verify that the area passed by the user is writeable */

_______________________________________________
Security mailing list
Security@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/security

----- End forwarded message -----

-- 
--
  "Have you noticed the way people's intelligence capabilities decline
   sharply the minute they start waving guns around?"
 		-- Dr. Who
_______________________________________________
Vendor Security mailing list
Vendor Security@lst.de
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
Comment 1 Ludwig Nussel 2005-03-09 11:22:15 UTC 
Created attachment 31057 [details]
mail with patch as attachment
Comment 2 Ludwig Nussel 2005-03-09 11:49:04 UTC 
Created attachment 31060 [details]
exploit posted on full-disclosure
Comment 3 Marcus Meissner 2005-03-09 13:21:21 UTC 
please apply to 2.6 branches. 
 
we need to check sles8 sp4 branch epoll too.
Comment 4 Hubert Mantel 2005-03-10 16:26:31 UTC 
Fix is in all 2.6 trees now and in SLES8 trees. Older versions do not have epoll.
Comment 5 Marcus Meissner 2005-03-14 12:04:46 UTC 
*** Bug 72392 has been marked as a duplicate of this bug. ***
Comment 6 Marcus Meissner 2005-03-16 12:11:01 UTC 
tracking
Comment 7 Marcus Meissner 2005-03-24 17:25:41 UTC 
updates and advisory released
Comment 8 Marcus Meissner 2005-08-04 12:41:57 UTC 
CAN-2005-0736
Comment 9 Thomas Biege 2009-10-13 21:10:31 UTC 
CVE-2005-0736: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)