Linux Kernel "mremap()" Missing Return Value Checking Privilege Escalation
Secunia Advisory: SA10897
Release Date: 2004-02-18
Critical: Less critical
Impact: Privilege escalation
Where: Local system
OS: Linux Kernel 2.2.x
Linux Kernel 2.4.x
Linux Kernel 2.6.x
Description:
Paul Starzetz has reported a vulnerability in the Linux kernel, which can be exploited by malicious, local users to gain escalated privileges on a vulnerable system.
The problem is that the "mremap()" system call doesn't check values returned by the "do_munmap()" kernel function when moving VMAs (Virtual Memory Areas) or parts thereof.
Successful exploitation allows execution of arbitrary code with kernel level privileges.
The following versions are reportedly affected:
* Branch 2.2.x up to 2.2.25
* Branch 2.4.x up to 2.4.24
* Branch 2.6.x up to 2.6.2
Exploit code has reportedly been developed and will be released next week.
NOTE: This is not the same vulnerability as the one reported early January 2004 in the same system call.
Solution:
Update to a non-vulnerable version.
http://www.kernel.org/
Grant only trusted users access to an affected system.
http://secunia.com/advisories/10897/

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic