[PATCH 0/3] CVE-2010-4258

[Brad Figg]

Following this email will be 3 patches associated with this CVE. The patches
apply cleanly to Dapper, Hardy and Karmic. Lucid, Maverick and Natty have
already been patched for this issue via upstream stable commits (or regular
upstream commits).

    If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not
    otherwise reset before do_exit().  do_exit may later (via mm_release in
    fork.c) do a put_user to a user-controlled address, potentially allowing
    a user to leverage an oops into a controlled write into kernel memory.
    
    This is only triggerable in the presence of another bug, but this
    potentially turns a lot of DoS bugs into privilege escalations, so it's
    worth fixing.  I have proof-of-concept code which uses this bug along
    with CVE-2010-3849 to write a zero to an arbitrary kernel address, so
    I've tested that this is not theoretical.
    
    A more logical place to put this fix might be when we know an oops has
    occurred, before we call do_exit(), but that would involve changing
    every architecture, in multiple places.
    
    Let's just stick it in do_exit instead.

Nelson Elhage (1):
  do_exit(): make sure that we run with get_fs() == USER_DS

 kernel/exit.c |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)