Release date:
Updated on:
Affected Systems:
Linux kernel 2.6.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 46492
Cve id: CVE-2011-1010
Linux Kernel is the Kernel used by open source Linux.
Linux Kernel verifies that the "map_count" variable has a local security restriction bypass vulnerability. Attackers can exploit this vulnerability to bypass security restrictions and perform unauthorized operations.
<* Source: Timo Warns (<warns@pre-sense.de>)
Link: http://git.kernel.org /? P = linux/kernel/git/torvalds/linux-2.6.git; a = commitdiff; h = fa7ea87a057958a8b7926c1a60a3ca6d696328ed
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Timo Warns (<warns@pre-sense.de>) provides the following test methods:
Int mac_partition (struct parsed_partitions * state)
{
-Int slot = 1;
Sector sect;
Unsigned char * data;
-Int blk, blocks_in_map;
+ Int slot, blocks_in_map;
Unsigned secsize;
# Ifdef CONFIG_PPC_PMAC
Int found_root = 0;
@-59,10 + 58,14 @ int mac_partition (struct parsed_partitions * state)
Put_dev_sector (sect );
Return 0;/* not a MacOS disk */
}
-Strlcat (state-> pp_buf, "[mac]", PAGE_SIZE );
Blocks_in_map = be32_to_cpu (part-> map_count );
-For (blk = 1; blk <= blocks_in_map; ++ blk ){
-Int pos = blk * secsize;
+ If (blocks_in_map <0 | blocks_in_map> = DISK_MAX_PARTS ){
+ Put_dev_sector (sect );
+ Return 0;
+}
+ Strlcat (state-> pp_buf, "[mac]", PAGE_SIZE );
+ For (slot = 1; slot <= blocks_in_map; ++ slot ){
+ Int pos = slot * secsize;
Put_dev_sector (sect );
Data = read_part_sector (state, pos/512, & sect );
If (! Data)
@-113,13 + 116,11 @ int mac_partition (struct parsed_partitions * state)
}
If (goodness> found_root_goodness ){
-Found_root = blk;
+ Found_root = slot;
Found_root_goodness = goodness;
}
}
# Endif/* CONFIG_PPC_PMAC */
-
-++ Slot;
}
# Ifdef CONFIG_PPC_PMAC
If (found_root_goodness)
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Linux
-----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.kernel.org/