Vulnerability CVE-2010-3904


Published: 2010-12-06   Modified: 2012-02-13

Description:
The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel before 2.6.36 does not properly validate addresses obtained from user space, which allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls.

See advisories in our WLB2 database:
Topic
Author
Date
High
Linux RDS Protocol Local Privilege Escalation
Dan Rosenberg
20.10.2010
Med.
Reliable Datagram Sockets (RDS) Privilege Escalation
Dan Rosenberg
21.05.2018

Type:

CWE-20

(Improper Input Validation)

Vendor: Linux
Product: Kernel 
Version:
2.6.9
2.6.8.1
2.6.8
2.6.7
2.6.6
2.6.5
2.6.4
2.6.35.9
2.6.35.8
2.6.35.7
2.6.35.6
2.6.35.5
2.6.35.4
2.6.35.3
2.6.35.2
2.6.35.1
2.6.35
2.6.34.7
2.6.34.6
2.6.34.5
2.6.34.4
2.6.34.3
2.6.34.2
2.6.34.1
2.6.34
2.6.33.7
2.6.33.6
2.6.33.5
2.6.33.4
2.6.33.3
2.6.33.2
2.6.33.1
2.6.33
2.6.32.9
2.6.32.8
2.6.32.7
2.6.32.6
2.6.32.5
2.6.32.4
2.6.32.3
2.6.32.20
2.6.32.2
2.6.32.19
2.6.32.18
2.6.32.17
2.6.32.16
2.6.32.15
2.6.32.14
2.6.32.13
2.6.32.12
See more versions on NVD
Product: Linux kernel 
Version:
2.6.9
2.6.8.1
2.6.8
2.6.7
2.6.6
2.6.5
2.6.4
2.6.35.9
2.6.35.8
2.6.35.7
2.6.35.6
2.6.35.5
2.6.35.4
2.6.35.3
2.6.35.2
2.6.35.1
2.6.35
2.6.34.7
2.6.34.6
2.6.34.5
2.6.34.4
2.6.34.3
2.6.34.2
2.6.34.1
2.6.34
2.6.33.7
2.6.33.6
2.6.33.5
2.6.33.4
2.6.33.3
2.6.33.2
2.6.33.1
2.6.33
2.6.32.9
2.6.32.8
2.6.32.7
2.6.32.6
2.6.32.5
2.6.32.4
2.6.32.3
2.6.32.20
2.6.32.2
2.6.32.19
2.6.32.18
2.6.32.17
2.6.32.16
2.6.32.15
2.6.32.14
2.6.32.13
2.6.32.12
See more versions on NVD

CVSS2 => (AV:L/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.2/10
10/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=799c10559d60f159ab2232203f222f18fa3c4a5f
http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00008.html
http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html
http://securitytracker.com/id?1024613
http://www.kb.cert.org/vuls/id/362983
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.36
http://www.redhat.com/support/errata/RHSA-2010-0792.html
http://www.redhat.com/support/errata/RHSA-2010-0842.html
http://www.securityfocus.com/archive/1/520102/100/0/threaded
http://www.ubuntu.com/usn/USN-1000-1
http://www.vmware.com/security/advisories/VMSA-2011-0012.html
http://www.vsecurity.com/download/tools/linux-rds-exploit.c
http://www.vsecurity.com/resources/advisory/20101019-1/
http://www.vupen.com/english/advisories/2011/0298
https://bugzilla.redhat.com/show_bug.cgi?id=642896
https://www.exploit-db.com/exploits/44677/

Related CVE
CVE-2019-19377
In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and unmounting can lead to a use-after-free in btrfs_queue_work in fs/btrfs/async-thread.c.
CVE-2019-19378
In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image can lead to slab-out-of-bounds write access in index_rbio_pages in fs/btrfs/raid56.c.
CVE-2019-19318
In the Linux kernel 5.3.11, mounting a crafted btrfs image twice can cause an rwsem_down_write_slowpath use-after-free because (in rwsem_can_spin_on_owner in kernel/locking/rwsem.c) rwsem_owner_flags returns an already freed pointer,
CVE-2019-14896
A heap-based buffer overflow vulnerability was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join...
CVE-2019-14815
A vulnerability was found in Linux Kernel, where a Heap Overflow was found in mwifiex_set_wmm_params() function of Marvell Wifi Driver.
CVE-2019-19227
In the AppleTalk subsystem in the Linux kernel before 5.1, there is a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrate...
CVE-2019-19036
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
CVE-2019-19037
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.

Copyright 2019, cxsecurity.com

 

Back to Top