CVE-2010-4258

Priority
Medium
Description
The do_exit function in kernel/exit.c in the Linux kernel before 2.6.36.2
does not properly handle a KERNEL_DS get_fs value, which allows local users
to bypass intended access_ok restrictions, overwrite arbitrary kernel
memory locations, and gain privileges by leveraging a (1) BUG, (2) NULL
pointer dereference, or (3) page fault, as demonstrated by vectors
involving the clear_child_tid feature and the splice system call.
Ubuntu-Description
Nelson Elhage discovered that the kernel did not correctly handle process
cleanup after triggering a recoverable kernel bug. If a local attacker were
able to trigger certain kinds of kernel bugs, they could create a specially
crafted process to gain root privileges.
References
Bugs
Package
Upstream:released (2.6.37~rc5)
Package
Upstream:released (2.6.37~rc5)
Package
Upstream:released (2.6.37~rc5)
Package
Upstream:released (2.6.37~rc5)
Package
Upstream:released (2.6.37~rc5)
Package
Source: linux (LP Ubuntu Debian)
Upstream:released (2.6.37~rc5)
Patches:
Upstream:http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=33dd94ae1ccbfb7bf0fb6c692bc3d1c4269e6177
Package
Upstream:released (2.6.37~rc5)
Package
Upstream:released (2.6.37~rc5)
More Information

Updated: 2018-06-26 04:38:37 UTC (commit 7799c934cca373482531a7b00e4dfe82302ceae5)