Bugzilla – Bug 65373
VUL-0: CVE-2005-0179: kernel: RLIMIT_MEMLOCK bypass and (2.6) unprivileged user DoS
Last modified: 2021-11-04 16:02:31 UTC
20050107 RLIMIT_MEMLOCK bypass and (2.6) unprivileged user DoS This was reported by grsecurity to full-disclosure +http://lists.netsys.com/pipermail/full-disclosure/2005-January/030660.html Fixed by -ac8 according to Alan "impact: DoS" CAN-2005-0179
<!-- SBZ_reproduce --> n/a
Created attachment 28092 [details] rlimit-memlock.patch extracted from 2.6.10-ac6-ac7 interdiff
not sure if the lone ret in the third hunk belongs there.
andrea, or andi ... can you comment? I dont seem to find the correct patch in bitkeeper, I guess the code has been restructured in mainline.
I'm not sure it's worth bothering with this one. There are a zillion ways to pin basically arbitrary amounts of kernel memory. Fixing them all is basically impossible.
Yes, the severity of the mlock DoS with stack growsdown is low. But we should at least queue the bugfix for future updates. The fix they posted is apparently correct, but it probably needs porting against our tree. I didn't evaluate the urandom thing, the driver ioctl seem mostly an issue for root willing to screwup himself.
the urandom thingy is a root sysctl and the scsi ioctl is root too. does the guy know what security is all about? perhaps next time he will post that linux securiy is weak because he can destroy the system with rm -r /. Perhaps the fact he's still seeking founding explains why those non-security-related bugs are being posted as security related. The rlimit mlock exploit is security related but a minor one.
the guys is pushing grsecurity his own ultra hardened kernel ... and lacks social competence ;)
well, my point is that if he considers a root-only sysctl "ultra hardening" he should remove the unlink syscall as well ;) that's only a minor bugfix to send to mainline without security strings attached IMHO, he can't do anything wrong unless he's root, and if he's root he can as well cp /dev/zero /dev/mem. I mean it's ridiculous when he says "I discovered 4 exploitable vulnerabilities in a matter of 15 minutes". He didn't specify "but exploitable only as root"
andrea, i would like to include the RLIMIT_MEMLOCK bypass fix in the upcoming 2.6 line updates... can you port the fix against our trees (SP1 branch and 9.2) ? thanks!
SP1/SP2/GA/HEAD aren't vulnerable. Only SL92 branch is vulnerable AFIK.
Patch is now applied to SL92, all other trees should not need it (the same as bug #65370).
thanks!
updates released
CVE-2005-0179: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)