Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2010-4258

Disclosure Date: December 30, 2010
CVE-2010-4258
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The do_exit function in kernel/exit.c in the Linux kernel before 2.6.36.2 does not properly handle a KERNEL_DS get_fs value, which allows local users to bypass intended access_ok restrictions, overwrite arbitrary kernel memory locations, and gain privileges by leveraging a (1) BUG, (2) NULL pointer dereference, or (3) page fault, as demonstrated by vectors involving the clear_child_tid feature and the splice system call.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

References

Canonical
CVE-2010-4258 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4258)
Advisory
[oss-security] 20101202 CVE request: kernel: failure to revert address limit override in OOPS error path (http://openwall.com/lists/oss-security/2010/12/02/2)
SECUNIA-43056 (http://secunia.com/advisories/43056)
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00004.html
SECUNIA-42778 (http://secunia.com/advisories/42778)
[oss-security] 20101202 kernel: Dangerous interaction between clear_child_tid, set_fs(), and kernel oopses (http://openwall.com/lists/oss-security/2010/12/02/3)
http://git.kernel.org?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=33dd94ae1ccbfb7bf0fb6c692bc3d1c4269e6177
SECUNIA-42801 (http://secunia.com/advisories/42801)
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00001.html
[oss-security] 20101209 Re: kernel: Dangerous interaction between clear_child_tid, set_fs(), and kernel oopses (http://openwall.com/lists/oss-security/2010/12/09/4)
FEDORA-2010-18983 (http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052513.html)
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00000.html
SECUNIA-42932 (http://secunia.com/advisories/42932)
20101207 Linux kernel exploit (http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0086.html)
ADV-2011-0124 (http://www.vupen.com/english/advisories/2011/0124)
[linux-kernel] 20101201 [PATCH v2] do_exit(): Make sure we run with get_fs() == USER_DS. (http://marc.info?l=linux-kernel&m=129117048916957&w=2)
http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html
ADV-2010-3321 (http://www.vupen.com/english/advisories/2010/3321)
[oss-security] 20101208 Re: kernel: Dangerous interaction between clear_child_tid, set_fs(), and kernel oopses (http://openwall.com/lists/oss-security/2010/12/08/9)
ADV-2011-0298 (http://www.vupen.com/english/advisories/2011/0298)
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.36.2
[oss-security] 20101209 Re: kernel: Dangerous interaction between clear_child_tid, set_fs(), and kernel oopses (http://openwall.com/lists/oss-security/2010/12/09/14)
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00007.html
http://code.google.com/p/chromium-os/issues/detail?id=10234
ADV-2011-0375 (http://www.vupen.com/english/advisories/2011/0375)
[linux-kernel] 20101201 Re: [PATCH v2] do_exit(): Make sure we run with get_fs() == USER_DS. (https://lkml.org/lkml/2010/12/1/543)
http://googlechromereleases.blogspot.com/2011/01/chrome-os-beta-channel-update.html
ADV-2011-0012 (http://www.vupen.com/english/advisories/2011/0012)
http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00002.html
[oss-security] 20101202 Re: kernel: Dangerous interaction between clear_child_tid, set_fs(), and kernel oopses (http://openwall.com/lists/oss-security/2010/12/02/4)
http://www.mandriva.com/security/advisories?name=MDVSA-2011:029
SECUNIA-42745 (http://secunia.com/advisories/42745)
[oss-security] 20101202 Re: CVE request: kernel: failure to revert address limit override in OOPS error path (http://openwall.com/lists/oss-security/2010/12/02/7)
[oss-security] 20101208 Re: kernel: Dangerous interaction between clear_child_tid, set_fs(), and kernel oopses (http://openwall.com/lists/oss-security/2010/12/08/5)
SECUNIA-43291 (http://secunia.com/advisories/43291)
ADV-2011-0213 (http://www.vupen.com/english/advisories/2011/0213)
https://bugzilla.redhat.com/show_bug.cgi?id=659567
[oss-security] 20101208 Re: kernel: Dangerous interaction between clear_child_tid, set_fs(), and kernel oopses (http://openwall.com/lists/oss-security/2010/12/08/4)
Miscellaneous
http://blog.nelhage.com/2010/12/cve-2010-4258-from-dos-to-privesc

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis