Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2012-2745 to a friend New vulnerability? New tool? Tell us	CVE-2012-2745 Ubuntu Linux Kernel Key Management Denial of Service Vulnerability     Credit: The original article can be found at: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2745 Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2012-2745 Details Check for CVE-2012-2745 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Ubuntu Ubuntu Linux 11.04 powerpc  * Ubuntu Ubuntu Linux 11.04 i386  * Ubuntu Ubuntu Linux 11.04 ARM  * Ubuntu Ubuntu Linux 11.04 amd64  * Ubuntu Ubuntu Linux 10.04 sparc  * Ubuntu Ubuntu Linux 10.04 powerpc  * Ubuntu Ubuntu Linux 10.04 i386  * Ubuntu Ubuntu Linux 10.04 ARM  * Ubuntu Ubuntu Linux 10.04 amd64 keyctl_session_to_parent(task) sets ->replacement_session_keyring, it should be processed and cleared by key_replace_session_keyring(). However, this task can fork before it notices TIF_NOTIFY_RESUME and the new child gets the bogus ->replacement_session_keyring copied by dup_task_struct(). This is obviously wrong and, if nothing else, this leads to put_cred(already_freed_cred). This causes the following panic on ppc64: Kernel panic - not syncing: CRED: put_cred_rcu() sees c0000001f41a4480 with usage -1 Call Trace: [c0000001fff53bc0] [c000000000012f04] .show_stack+0x74/0x1c0 (unreliable) [c0000001fff53c70] [c0000000005c2d18] .panic+0xb8/0x1ec [c0000001fff53d00] [c0000000000c7858] .put_cred_rcu+0x118/0x120 [c0000001fff53d80] [c000000000117708] .__rcu_process_callbacks+0x158/0x3f0 [c0000001fff53e30] [c0000000001179d4] .rcu_process_callbacks+0x34/0x70 [c0000001fff53eb0] [c00000000009cb18] .__do_softirq+0x118/0x290 [c0000001fff53f90] [c000000000031e28] .call_do_softirq+0x14/0x24 [c0000001fcf7b990] [c00000000000e700] .do_softirq+0xf0/0x110 [c0000001fcf7ba30] [c00000000009c834] .irq_exit+0xb4/0xc0 [c0000001fcf7bab0] [c00000000002e3b8] .timer_interrupt+0x108/0x160 [c0000001fcf7bb40] [c000000000003718] decrementer_common+0x118/0x180 --- Exception: 901 at .raw_local_irq_restore+0x54/0x60 LR = .cpu_idle+0x14c/0x1d0 Because powerpc does not, currently, call key_replace_session_keyring() from the TIF_NOTIFY_RESUME handler. i386, x86_64, s390 and ia64 all do call the keyrings code and so the attack window is much smaller - though still present. An unprivileged local user could use this flaw to crash the system. CVE Information: CVE-2012-2745 Disclosure Timeline: Published: Jul 10 2012 Updated: Oct 11 2012  Comments on CVE-2012-2745:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®