local system compromise in Linux Kernel (x86_64, AMD64)

ID SUSE-SA:2004:003
Type suse
Reporter Suse
Modified 2004-01-15T15:10:36


The do_mremap() function of the Linux Kernel is used to manage (move, resize) Virtual Memory Areas (VMAs). By exploiting an incorrect bounds check in do_mremap() during the remapping of memory it is possible to create a VMA with the size of 0. In normal operation do_mremap() leaves a memory hole of one page and creates an additional VMA of two pages. In case of exploitation no hole is created but the new VMA has a 0 bytes length. The Linux Kernel's memory management is corrupted from this point and can be abused by local users to gain root privileges. Additionally Andi Kleen of SUSE LINUX found and fixed another bug in the 32bit emulation of ptrace() which allows to modify CPU registers from user-space to get full access to system ressources.