blob: 5ae37d27e04ea54b20c79bcb2e22c3ab5e635aed (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
Candidate: CVE-2004-2536
References:
http://www.ussg.iu.edu/hypermail/linux/kernel/0405.0/1242.html
http://www.ussg.iu.edu/hypermail/linux/kernel/0405.0/1265.html
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.6
Description:
The exit_thread function (process.c) in Linux kernel 2.6 through
2.6.5 does not invalidate the per-TSS io_bitmap pointers if a
process obtains IO access permissions from the ioperm function but
does not drop those permissions when it exits, which allows other
processes to access the per-TSS pointers, access restricted memory
locations, and possibly gain privileges.
Notes:
Horms> Tested against kernel-image-2.4.27-2-686 2.4.27-11 which does not
seem to exhibit the problem, although the code suggests it might. I guess
its just a 2.6 problem. I marked 2.4.27 and the woody kernels N/A
Bugs:
upstream: released (2.6.6)
linux-2.6: N/A
2.6.8-sarge-security: N/A
2.4.27-sarge-security: N/A
2.4.19-woody-security: N/A
2.4.18-woody-security: N/A
2.4.17-woody-security: N/A
2.4.16-woody-security: N/A
2.4.17-woody-security-hppa: N/A
2.4.17-woody-security-ia64: N/A
2.4.18-woody-security-hppa: N/A
|