Linux Kernel Xorg Hijack Patched After 5 Years

For 6 years the Linux kernel had suffered from a largely unnoticed privelege escalation vulnerability - and now, it has finally been patched. Linus commited the patch last week, and it can be found here: http://bit.ly/a2AqMh. The vulnerability allowed unpriveleged local users to gain root access to a system.

The vulnerability was apparently discovered as long ago as 2005 by researcher Gael Delalleu, but had been largely ignored until Rafal Wojtczuk from Invisible Things Labs started investigating related issues. In this PDF paper, Rafal outlined a method for exploiting this vulnerability using the Xorg Server, which provides a GUI to Linux users.

The Xorg server has to memory spaces that grow in opposite directions in the address space, which is a behaviour inheritied from Intel x86 architecture. An attacker can force these two regions to have a collision, enabling the attacker to insert his own code to hijack the Xorg Server. Linus had this to say when commiting the patch:

This is a rather minimally invasive patch to solve the problem of the
user stack growing into a memory mapped area below it.  Whenever we fill
the first page of the stack segment, expand the segment down by one
page.

Now, admittedly some odd application might _want_ the stack to grow down
into the preceding memory mapping, and so we may at some point need to
make this a process tunable (some people might also want to have more
than a single page of guarding), but let's try the minimal approach
first.

Tested with trivial application that maps a single page just below the
stack, and then starts recursing.  Without this, we will get a SIGSEGV
_after_ the stack has smashed the mapping.  With this patch, we'll get a
nice SIGBUS just as the stack touches the page just above the mapping.