1. Computers
  2. Display Drivers
  3. Graphics Cards
  4. Memory
  5. Motherboards
  6. Processors
  7. Software
  8. Storage
  9. Operating Systems


Facebook RSS Twitter Twitter Google Plus


Phoronix Test Suite

OpenBenchmarking.org

The High-Profile X.Org / Linux Kernel Security Bug

X.Org

Published on 18 August 2010 07:10 PM EDT
Written by Michael Larabel in X.Org
15 Comments

As many learned today, there's been a rather critical bug living within the Linux kernel for several years (as possibly far back as the original Linux 2.6 kernel release) that was finally fixed and this "high priority" bug is now publicly detailed. This issue (CVE-2010-2240), which allows arbitrary code to be executed as root, is easily exploitable by most current Linux desktops via simply running any compromised GUI application that has access to the running X.Org Server.

This security vulnerability that can be easily reproduced with most X.Org Servers on Linux was discovered by The Invisible Lab (a computer security research firm) and after privately reporting it to the X.Org team back in June was now detailed today in the company's blog and this formal security paper. Below is the summary provided within this paper entitled "Exploiting large memory management vulnerabilities in Xorg server running on Linux."
A malicious authenticated client can force Xorg server to exhaust (or fragment) its address space. If running on Linux, this may result in the process stack top being in an unexpected region and execution of arbitrary code with server privileges (root). x86 32 and x86 64 platforms are affected, others most probably are affected, too.

Note that depending on the system configuration, by default local unprivileged users may be able to start an instance of Xorg server that requires no authentication and exploit it. Also if a remote attacker exploits a (unrelated) vulnerability in a GUI application (e.g. web browser), he will have ability to attack X server.

In case of a local attacker that can use MIT-SHM extension (which is the most likely scenario), the exploit is very reliable. Identifier CVE-2010-2240 has been reserved for the underlying issue (Linux kernel not providing stack and heap separation). This issue has been known for at least five years.

The good news is that this issue is now corrected in the stable 2.6.32.19, 2.6.34.4, and 2.6.35.2 Linux kernel releases (along with the upstream Linux 2.6.36 kernel code) after it was corrected in the past few days via a number of patches. For those running a non-patched kernel it's also possible to make the system less vulnerable to the exploit by disabling the MIT-SHM (MIT Shared Memory) X extension, which when enabled allows the X Server to exchange data between the client and server using shared memory.

Of course, if the X Server wasn't running as root but rather an unprivileged local user, the vulnerability of a GUI application taking advantage of this bug could possibly have been adverted -- at least in terms of exploiting the fundamental kernel memory bug through X. Fortunately, thanks to kernel mode-setting this is now becoming a possibility. The X Server has traditionally had to run as root since X drivers have had to bang the hardware directly, but with these activities being moved into the Linux kernel DRM drivers, there isn't a real need for X to be root any longer. The mainline Linux kernel supports kernel mode-setting for the open-source Intel, ATI, and Nouveau (NVIDIA) drivers and is used by default on most recent desktop Linux distributions.

While most distributions now leverage KMS when using the open-source Intel/ATI/NVIDIA drivers, not many of them at this point are taking advantage of a root-less (in the sense of not not running as the root user) X Server. There's still a few items for the distribution vendors to address such as handling multi-user sessions while still having the X Server running as a non-root user and permission issues with a few areas of X. Though if you are using one of the more obscure open-source graphics drivers (Poulsbo, VIA, XGI, etc) or the proprietary drivers (mainly ATI) running the X Server as root is also not a possibility since they don't currently support KMS, and thus these non-kernel drivers need to still talk to the hardware directly. The proprietary NVIDIA driver doesn't implement KMS support, but it can allow the X Server to not run as root assuming the /dev/nvidiaX files have appropriate permissions.

There's been work towards making the X Server non-root since the kernel mode-setting work was integrated into the mainline Linux kernel. Moblin 2.0 was the first major distribution to abandon running the X Server as root, which was easy in their case since they just aim for Intel hardware support where using KMS is the only choice, and this non-root usage continues to be the case with the MeeGo distribution. Ubuntu is working towards a root-less X Server for Ubuntu 10.10 (though it looks like some bits may now not land until Ubuntu 11.04), as with other Linux distributions, when a KMS driver is utilized. The security-oriented OpenBSD developers have also been interested in porting the Linux KMS code to their BSD kernel for the less of a security threat created by the X Server not having root privileges.

About The Author
Michael Larabel is the principal author of Phoronix.com and founded the web-site in 2004 with a focus on enriching the Linux hardware experience and being the largest web-site devoted to Linux hardware reviews, particularly for products relevant to Linux gamers and enthusiasts but also commonly reviewing servers/workstations and embedded Linux devices. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics hardware drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated testing software. He can be followed via and or contacted via .
Latest Linux Hardware Reviews
  1. Intel Pentium G3258 On Linux
  2. SilverStone Precision PS10
  3. ASRock Z97 Extreme6
  4. Nouveau Re-Clocking Is Way Faster, Shows Much Progress For Open-Source NVIDIA
Latest Linux Articles
  1. KVM Benchmarks On Ubuntu 14.10
  2. X.Org Server 1.16 Officially Released With Terrific Features
  3. Ubuntu With Linux 3.16 Smashes OS X 10.9.4 On The MacBook Air
  4. Preview: Benchmarking CentOS 7.0 & Scientific Linux 7.0
Latest Linux News
  1. CPUFreq Ondemand Could Be Faster, Use Less Power With Linux 3.17
  2. Intel Adds BPTC Texture Compression To Their Mesa Driver
  3. The Linux Kernel Bang-Bang Thermal Governor Is Banging
  4. NVIDIA Releases K1-Powered Shield Tablet & Controller
  5. Xen Project Announces Mirage OS 2.0
  6. Canonical Community Team Changes Announced For Ubuntu
  7. Raspberry Pi B+ ARM Debian Benchmarks
  8. Mozilla Unleashes Firefox 31 Web Browser
  9. GCC 5.0 Is Expected Next Year
  10. PHP5's Successor Might Be PHP7
Latest Forum Discussions
  1. AMD "Hawaii" Open-Source GPU Acceleration Still Not Working Right
  2. Open-Source Radeon Performance Boosted By Linux 3.16
  3. In Road To Qt, Audacious Switches From GTK3 Back To GTK2
  4. Debian + Steam + r600
  5. Next-Gen OpenGL To Be Announced Next Month
  6. Ubuntu With Linux 3.16 Smashes OS X 10.9.4 On The MacBook Air
  7. Updated and Optimized Ubuntu Free Graphics Drivers
  8. AMD Publishes Open-Source Linux HSA Kernel Driver