The do_exit function in kernel/exit.c in the Linux kernel before 2.6.36.2 does not properly handle a KERNEL_DS get_fs value, which allows local users to bypass intended access_ok restrictions, overwrite arbitrary kernel memory locations, and gain privileges by leveraging a (1) BUG, (2) NULL pointer dereference, or (3) page fault, as demonstrated by vectors involving the clear_child_tid feature and the splice system call.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Linux_kernel | Linux | * | 2.6.36.2 (excluding) |
| Linux | Ubuntu | hardy | * |
| Linux | Ubuntu | karmic | * |
| Linux | Ubuntu | lucid | * |
| Linux | Ubuntu | maverick | * |
| Linux | Ubuntu | natty | * |
| Linux | Ubuntu | upstream | * |
| Linux-ec2 | Ubuntu | karmic | * |
| Linux-ec2 | Ubuntu | lucid | * |
| Linux-ec2 | Ubuntu | maverick | * |
| Linux-ec2 | Ubuntu | upstream | * |
| Linux-fsl-imx51 | Ubuntu | karmic | * |
| Linux-fsl-imx51 | Ubuntu | lucid | * |
| Linux-fsl-imx51 | Ubuntu | upstream | * |
| Linux-lts-backport-maverick | Ubuntu | lucid | * |
| Linux-lts-backport-maverick | Ubuntu | upstream | * |
| Linux-lts-backport-natty | Ubuntu | upstream | * |
| Linux-mvl-dove | Ubuntu | karmic | * |
| Linux-mvl-dove | Ubuntu | lucid | * |
| Linux-mvl-dove | Ubuntu | maverick | * |
| Linux-mvl-dove | Ubuntu | upstream | * |
| Linux-source-2.6.15 | Ubuntu | dapper | * |
| Linux-source-2.6.15 | Ubuntu | upstream | * |
| Linux-ti-omap4 | Ubuntu | maverick | * |
| Linux-ti-omap4 | Ubuntu | upstream | * |