Back to search
CVE-2010-4258
Published: Dec 30, 2010
Modified: Aug 7, 2024
PUBLISHED
Description
The do_exit function in kernel/exit.c in the Linux kernel before 2.6.36.2 does not properly handle a KERNEL_DS get_fs value, which allows local users to bypass intended access_ok restrictions, overwrite arbitrary kernel memory locations, and gain privileges by leveraging a (1) BUG, (2) NULL pointer dereference, or (3) page fault, as demonstrated by vectors involving the clear_child_tid feature and the splice system call.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
[oss-security] 20101202 CVE request: kernel: failure to revert address limit override in OOPS error path
mailing-list
x_refsource_MLIST
43056
third-party-advisory
x_refsource_SECUNIA
SUSE-SA:2011:004
vendor-advisory
x_refsource_SUSE
42778
third-party-advisory
x_refsource_SECUNIA
[oss-security] 20101202 kernel: Dangerous interaction between clear_child_tid, set_fs(), and kernel oopses
mailing-list
x_refsource_MLIST
42801
third-party-advisory
x_refsource_SECUNIA
SUSE-SA:2011:002
vendor-advisory
x_refsource_SUSE
[oss-security] 20101209 Re: kernel: Dangerous interaction between clear_child_tid, set_fs(), and kernel oopses
mailing-list
x_refsource_MLIST
FEDORA-2010-18983
vendor-advisory
x_refsource_FEDORA
SUSE-SA:2011:001
vendor-advisory
x_refsource_SUSE
42932
third-party-advisory
x_refsource_SECUNIA
20101207 Linux kernel exploit
mailing-list
x_refsource_FULLDISC
ADV-2011-0124
vdb-entry
x_refsource_VUPEN
[linux-kernel] 20101201 [PATCH v2] do_exit(): Make sure we run with get_fs() == USER_DS.
mailing-list
x_refsource_MLIST
SUSE-SA:2011:007
vendor-advisory
x_refsource_SUSE
ADV-2010-3321
vdb-entry
x_refsource_VUPEN
[oss-security] 20101208 Re: kernel: Dangerous interaction between clear_child_tid, set_fs(), and kernel oopses
mailing-list
x_refsource_MLIST
ADV-2011-0298
vdb-entry
x_refsource_VUPEN
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.36.2
x_refsource_CONFIRM
[oss-security] 20101209 Re: kernel: Dangerous interaction between clear_child_tid, set_fs(), and kernel oopses
mailing-list
x_refsource_MLIST
SUSE-SA:2011:005
vendor-advisory
x_refsource_SUSE
http://code.google.com/p/chromium-os/issues/detail?id=10234
x_refsource_CONFIRM
ADV-2011-0375
vdb-entry
x_refsource_VUPEN
[linux-kernel] 20101201 Re: [PATCH v2] do_exit(): Make sure we run with get_fs() == USER_DS.
mailing-list
x_refsource_MLIST
ADV-2011-0012
vdb-entry
x_refsource_VUPEN
SUSE-SA:2011:008
vendor-advisory
x_refsource_SUSE
[oss-security] 20101202 Re: kernel: Dangerous interaction between clear_child_tid, set_fs(), and kernel oopses
mailing-list
x_refsource_MLIST
MDVSA-2011:029
vendor-advisory
x_refsource_MANDRIVA
42745
third-party-advisory
x_refsource_SECUNIA
[oss-security] 20101202 Re: CVE request: kernel: failure to revert address limit override in OOPS error path
mailing-list
x_refsource_MLIST
[oss-security] 20101208 Re: kernel: Dangerous interaction between clear_child_tid, set_fs(), and kernel oopses
mailing-list
x_refsource_MLIST
43291
third-party-advisory
x_refsource_SECUNIA
ADV-2011-0213
vdb-entry
x_refsource_VUPEN
https://bugzilla.redhat.com/show_bug.cgi?id=659567
x_refsource_CONFIRM
[oss-security] 20101208 Re: kernel: Dangerous interaction between clear_child_tid, set_fs(), and kernel oopses
mailing-list
x_refsource_MLIST
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now