Linux Kernel madvise_remove IPC Permission Bypass

2006-04-12T04:02:35
ID OSVDB:24714
Type osvdb
Reporter Hugh Dickins(hugh@veritas.com)
Modified 2006-04-12T04:02:35

Description

Vulnerability Description

The Linux Kernel contains a flaw that may allow a malicious user to bypass IPC permissions. The issue is triggered because a 'madvise_remove' call does not follow file and mmap restrictions. It is possible that the flaw may allow an attacker to bypass IPC permissions and replace portions of readonly TMPFS files with zeroes, resulting in a loss of integrity.

Solution Description

Upgrade to version 2.6.16.7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

The Linux Kernel contains a flaw that may allow a malicious user to bypass IPC permissions. The issue is triggered because a 'madvise_remove' call does not follow file and mmap restrictions. It is possible that the flaw may allow an attacker to bypass IPC permissions and replace portions of readonly TMPFS files with zeroes, resulting in a loss of integrity.

References:

Vendor Specific News/Changelog Entry: http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.6 Vendor Specific News/Changelog Entry: http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.7 Vendor Specific Advisory URL Vendor Specific Advisory URL Secunia Advisory ID:19664 Secunia Advisory ID:20671 Secunia Advisory ID:19657 Secunia Advisory ID:20398 Secunia Advisory ID:21954 Secunia Advisory ID:19735 Other Advisory URL: http://www.us.debian.org/security/2006/dsa-1097 Keyword: aka the MADV_REMOVE vulnerability CVE-2006-1524 Bugtraq ID: 17587