Local Root Vulnerability Patched in Linux Kernel

A local privilege escalation vulnerability that could allow attackers to execute malicious code with root rights was patched in the newly released Linux kernel 2.6.36.

The vulnerability, identified as CVE-2010-3904, is located in the Reliable Datagram Sockets (RDS) protocol implementation in Linux kernel and can be exploited by issuing specially crafted function calls.

The issue was discovered by vulnerability researcher Dan Rosenberg of Virtual Security Research (VSR), who also published proof-of-concept exploitation code for the flaw.

"When performing this copying of data to user space, the RDS protocol failed to verify that the base address of a user-provided iovec struct pointed to a valid userspace address before using the __copy_to_user_inatomic() function to copy the data.

"As a result, by providing a kernel address as an iovec base and issuing a recvmsg() style socket call, a local user could write arbitrary data into kernel memory. This can be leveraged to escalate privileges to root," the company explains in its advisory.

VSR notes that only Linux installations where the CONFIG_RDS option is set in the kernel configurations are vulnerable.

Another requirement for successful exploitation is that unprivileged users be allowed to load packet family modules, which is true on most distributions.

A patch for the flaw was committed by Linus Torvalds on October 15, two days after the vulnerability was reported to the Linux kernel development team.

"Don't try to 'optimize' rds_page_copy_user() by using kmap_atomic() and the unsafe atomic user mode accessor functions.

It's actually slower than the straightforward code on any reasonable modern CPU," Torvalds says in the patch notes.

Users are advised to install the kernel updates provided by their respectiv distribution. According to a Secunia advisory, version 2.6.36 of the Linux kernel also addresses a different arbitrary code execution flaw and several denial of service issues.