A null pointer dereference in the Linux kernel can be exploited to access a system at root privilege level. The hole is reportedly contained in pipe.c and can occur in certain circumstances when using the pipe_read_open(), pipe_write_open() or pipe_rdwr_open() functions while releasing a mutex (mutual exclusion) too early – which constitutes a classic race condition. So far, the flaw has only been fixed in release candidate 6 of the forthcoming version 2.6.32.

However, like previous null pointer dereference issues in the Linux kernel, the vulnerability can only be exploited if the kernel's mmap_min_addr system variable is set to 0. mmap_min_addr describes the lowest virtual address a process can use for mapping. If it is greater than 0, exploits that involve a null-valued pointer to this address won't work. However, as this will also cause certain open source applications like Wine and DOSEMU to malfunction, distributors such as Red Hat and Debian set the respective value to 0 by default. Red Hat has already released updated packages to close the hole. Debian offers instructions on how to change the variable. In Ubuntu, mmap_min_addr is set to 65535, which renders exploits ineffective.

While developer Earl Chew was the first to officially point out the flaw on the 14th of October, on the Linux Kernel Mailing List, developer Brad Spengler, who is responsible for the grsecurity project, also claims to have discovered it in mid October. Spengler even told the UK media that he developed an exploit two weeks ago. Spengler has released exploits for previous null pointer dereferences discovered in the Linux kernel. At the request of The H's associates at heise Security, Spengler has said that he will publish his exploits, possibly later today.

See also:

(crve)