Linux kernel mremap(2) system call does not properly check return value from do_munmap() function

Overview

A vulnerability in the Linux mremap(2) system call could allow an authenticated, local attacker to execute arbitrary code with root privileges.

Description

The Linux kernel uses a linked list of vitrual memory area (VMA) descriptors to reference valid regions of the page table for a given process. VMA descriptors include information about the memory area such as start address, length, and page protection flags. A VMA effectively contains a range of page table entries (PTEs) that make up part of the page table.

The mremap(2) system call has the ability to resize or move a VMA or part of a VMA within a process’ memory space. mremap(2) contains a function called do_munmap() that is used to unmap regions of memory during resize or move operations. There is a limit on the number of VMA descriptors that can exist at one time, and do_munmap() does not create a new VMA descriptor if doing so would exceed this limit.

In certain cases, mremap(2) does not properly check the return value from the do_munmap() function, and will map PTEs to new locations even though the expected VMAs have not been created or updated. By carefully manipulating VMA to PTE relationships, a local attacker can read from or write to memory owned by a process running with different privileges.

Further technical details are available in an advisory from iSEC. Note that this vulnerability is distinct from the one described in VU#490620/CAN-2003-0985.

---

Impact

An authenticated, local attacker could execute arbitrary code with root privileges.

---

Solution

Patch or Upgrade

Apply a patch or upgrade as specified by your vendor. This issue is resolved in Linux kernels 2.2.26, 2.4.25, and 2.6.3 from the Linux Kernel Archives.

---

Vendor Information

981222

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Astaro __ Affected

Updated: March 25, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Up2Date 4.021 #35996.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Conectiva __ Affected

Notified: March 10, 2004 Updated: March 11, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see CLSA-2004:820.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Debian __ Affected

Notified: March 10, 2004 Updated: March 11, 2004

Status

Affected

Vendor Statement

We have fixed this problem for our various kernels in the following advisories:

<http://www.debian.org/security/2004/dsa-456&gt;
<http://www.debian.org/security/2004/dsa-454&gt;
<http://www.debian.org/security/2004/dsa-453&gt;
<http://www.debian.org/security/2004/dsa-450&gt;
<http://www.debian.org/security/2004/dsa-444&gt;
<http://www.debian.org/security/2004/dsa-442&gt;
<http://www.debian.org/security/2004/dsa-440&gt;
<http://www.debian.org/security/2004/dsa-439&gt;
<http://www.debian.org/security/2004/dsa-441&gt;
<http://www.debian.org/security/2004/dsa-438&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Fedora Legacy Project __ Affected

Updated: March 25, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see FLSA:1284.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Fedora Project __ Affected

Updated: March 25, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see FEDORA-2004-080.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Gentoo Linux __ Affected

Updated: March 11, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see GLSA 200403-02.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Linux Kernel Archives __ Affected

Updated: March 10, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This issue is resolved in Linux kernels 2.2.26, 2.4.25, and 2.6.3.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Linux Netwosix __ Affected

Updated: March 25, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see LNSA-#2004-0003.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

MandrakeSoft __ Affected

Notified: March 10, 2004 Updated: March 25, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see MDKSA-2004:015 and MDKSA-2004:015-1.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Openwall GNU/*/Linux __ Affected

Notified: March 10, 2004 Updated: March 25, 2004

Status

Affected

Vendor Statement

No supported release of Openwall GNU/*/Linux (Owl) was affected by this vulnerability as of the time it was made public. We had the bug proactively fixed in Owl 1.1 release (Linux kernel 2.4.23-ow2), not realizing its full security impact at the time.

Although those are no longer a part of Owl (not in Owl 1.1), we continue to maintain security hardening patches for Linux 2.2.x kernels and make them available for the public. Linux 2.2.x was affected by a variation of this vulnerability and thus, as a service to the community, we had included a workaround in Linux 2.2.25-ow2 patch. Linux 2.2.26 now includes the same change.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Red Hat Inc. __ Affected

Notified: March 10, 2004 Updated: March 11, 2004

Status

Affected

Vendor Statement

Updates to correct this issue were made available for Red Hat Linux and Red Hat Enterprise Linux. Users of the Red Hat Network can update their systems using the ‘up2date’ tool.

Red Hat Linux 9:

<http://rhn.redhat.com/errata/RHSA-2004-065.html&gt;Red Hat Enterprise Linux 3:

<http://rhn.redhat.com/errata/RHSA-2004-066.html&gt;Red Hat Enterprise Linux 2.1:

<http://rhn.redhat.com/errata/RHSA-2004-069.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

SGI __ Affected

Notified: March 10, 2004 Updated: March 25, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see 20040204-01-U.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Slackware __ Affected

Updated: March 25, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see SSA:2004-049-01.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

SmoothWall __ Affected

Updated: March 11, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see SWL-2004:002.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

SuSE Inc. __ Affected

Notified: March 10, 2004 Updated: March 11, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see SuSE-SA:2004:005.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Sun Microsystems Inc. __ Affected

Notified: March 10, 2004 Updated: March 25, 2004

Status

Affected

Vendor Statement

The following Sun products are vulnerable.

Java Desktop System Version 2003.

A patch is available to customers via the on-line update mechanism in JDS. Please see <http://wwws.sun.com/software/javadesktopsystem/update/index.html&gt; for further details.

Sun Cobalt legacy products:

RaQ4
RaQXTR
Qube3
RaQ550

Sun will be publishing Sun Alerts for this issue which will be available from the following location:

http://sunsolve.Sun.COM/pub-cgi/search.pl?mode=results&so=date&coll=fsalert&zone_32=category:security

The Sun Alerts will be updated with the patch information as soon as patches are available.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Trustix __ Affected

Updated: March 11, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see TSLSA-2004-0007 (Trustix 2.0, kernel 2.4.24) and TSLSA-2004-0008 (Trustix 1.5, kernel 2.2.25).

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

TurboLinux __ Affected

Notified: March 10, 2004 Updated: March 11, 2004

Status

Affected

Vendor Statement

This Vulnerability is fixed by TLSA-2004-7.

Please refer to
<http://www.turbolinux.com/security/2004/TLSA-2004-7.txt&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Wirex __ Affected

Notified: March 10, 2004 Updated: March 11, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see IMNX-2004-7±001-01.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Apple Computer Inc. __ Not Affected

Notified: March 10, 2004 Updated: March 11, 2004

Status

Not Affected

Vendor Statement

Apple: Not Vulnerable

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Fujitsu __ Not Affected

Notified: March 10, 2004 Updated: March 25, 2004

Status

Not Affected

Vendor Statement

Fujitsu’s UXP/V o.s. is not affected by the problem in VU#981222 because it does not support the mremap.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

NetBSD __ Not Affected

Notified: March 10, 2004 Updated: March 25, 2004

Status

Not Affected

Vendor Statement

NetBSD is not affected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Cray Inc. Unknown

Updated: March 11, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

EMC Corporation Unknown

Updated: March 11, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

FreeBSD Unknown

Updated: March 11, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Guardian Digital Inc. Unknown

Updated: March 11, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Hewlett-Packard Company Unknown

Updated: March 11, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Hitachi Unknown

Updated: March 11, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

IBM __ Unknown

Notified: March 10, 2004 Updated: March 25, 2004

Status

Unknown

Vendor Statement

IBM eServer Platform Response

For information related to this and other published CERT Advisories that may relate to the IBM eServer Platforms (xSeries, iSeries, pSeries, and zSeries) please go to https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/security=alerts?OpenDocument&pathID=

In order to access this information you will require a Resource Link ID. To subscribe to Resource Link go to <http://app-06.www.ibm.com/servers/resourcelink&gt; and follow the steps for registration.

All questions should be reffered to [email protected].

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Ingrian Networks Unknown

Updated: March 11, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Juniper Networks Unknown

Updated: March 11, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

MontaVista Software Unknown

Updated: March 11, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

NEC Corporation Unknown

Updated: March 11, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Nokia Unknown

Updated: March 11, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Novell Unknown

Updated: March 11, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

OpenBSD Unknown

Updated: March 11, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

SCO Unknown

Updated: March 11, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Sequent Unknown

Updated: March 11, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Sony Corporation Unknown

Updated: March 11, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Unisys Unknown

Updated: March 11, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

Wind River Systems Inc. Unknown

Updated: March 11, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23981222 Feedback>).

View all 41 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.kernel.org/&gt;
• <http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt&gt;
• <http://www.securityfocus.com/archive/1/354284&gt;
• <http://www.securityfocus.com/archive/1/355781&gt;
• <http://www.securityfocus.com/bid/9686&gt;
• <http://xforce.iss.net/xforce/xfdb/15244&gt;
• <http://secunia.com/advisories/10897/&gt;

Acknowledgements

This vulnerability was researched and reported by Paul Starzetz of iSEC.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2004-0077
Severity Metric:	26.52 Date Public: