2004-01-05 14:54:24

by Robert L. Harris

[permalink] [raw]
Subject: mremap bug and 2.4?



Just read this on full disclosure:

http://isec.pl/vulnerabilities/isec-0013-mremap.txt

Is it valid? No working proof of concept code has been posted so I can't
test my systems. The article only lists 2.4 and 2.6. Is this
2.4.16-current, etc? Anyone have any details about versions that are
safe so I/We can determine if I need to roll a new production kernel out
again?

Thanks,
Robert

:wq!
---------------------------------------------------------------------------
Robert L. Harris | GPG Key ID: E344DA3B
@ x-hkp://pgp.mit.edu
DISCLAIMER:
These are MY OPINIONS ALONE. I speak for no-one else.

Life is not a destination, it's a journey.
Microsoft produces 15 car pileups on the highway.
Don't stop traffic to stand and gawk at the tragedy.


Attachments:
(No filename) (828.00 B)
signature.asc (189.00 B)
Digital signature
Download all attachments

2004-01-05 15:21:52

by Erik Mouw

[permalink] [raw]
Subject: Re: mremap bug and 2.4?

On Mon, Jan 05, 2004 at 09:54:21AM -0500, Robert L. Harris wrote:
> Just read this on full disclosure:
>
> http://isec.pl/vulnerabilities/isec-0013-mremap.txt
>
> Is it valid?

Yes, Marcelo released 2.4.24 an hour ago for that reason.


Erik

--
+-- Erik Mouw -- http://www.harddisk-recovery.com -- +31 70 370 12 90 --
| Lab address: Delftechpark 26, 2628 XH, Delft, The Netherlands

2004-01-05 15:35:43

by Marcelo Tosatti

[permalink] [raw]
Subject: Re: mremap bug and 2.4?



On Mon, 5 Jan 2004, Robert L. Harris wrote:

>
>
> Just read this on full disclosure:
>
> http://isec.pl/vulnerabilities/isec-0013-mremap.txt
>
> Is it valid? No working proof of concept code has been posted so I can't
> test my systems. The article only lists 2.4 and 2.6. Is this
> 2.4.16-current, etc? Anyone have any details about versions that are
> safe so I/We can determine if I need to roll a new production kernel out
> again?

It is possible that the problem is exploitable. There is no known public
exploit yet, however.

2.4.24 includes a fix for this (mm/mremap.c diff)

2004-01-05 15:43:02

by Robert L. Harris

[permalink] [raw]
Subject: Re: mremap bug and 2.4?



I love you guys. Yeah, I have to compile a new kernel, test it and push it out
this week to 600 machines but atleast I don't have to wait 6 months and
then hope it doesn't kill all my apps.

You guys are great, THANKS!

Robert


Thus spake Marcelo Tosatti ([email protected]):

>
>
> On Mon, 5 Jan 2004, Robert L. Harris wrote:
>
> >
> >
> > Just read this on full disclosure:
> >
> > http://isec.pl/vulnerabilities/isec-0013-mremap.txt
> >
> > Is it valid? No working proof of concept code has been posted so I can't
> > test my systems. The article only lists 2.4 and 2.6. Is this
> > 2.4.16-current, etc? Anyone have any details about versions that are
> > safe so I/We can determine if I need to roll a new production kernel out
> > again?
>
> It is possible that the problem is exploitable. There is no known public
> exploit yet, however.
>
> 2.4.24 includes a fix for this (mm/mremap.c diff)

:wq!
---------------------------------------------------------------------------
Robert L. Harris | GPG Key ID: E344DA3B
@ x-hkp://pgp.mit.edu
DISCLAIMER:
These are MY OPINIONS ALONE. I speak for no-one else.

Life is not a destination, it's a journey.
Microsoft produces 15 car pileups on the highway.
Don't stop traffic to stand and gawk at the tragedy.


Attachments:
(No filename) (1.32 kB)
signature.asc (189.00 B)
Digital signature
Download all attachments

2004-01-05 17:11:39

by grundig

[permalink] [raw]
Subject: Re: mremap bug and 2.4?

El Mon, 5 Jan 2004 13:26:23 -0200 (BRST) Marcelo Tosatti <[email protected]> escribi?:

> On Mon, 5 Jan 2004, Robert L. Harris wrote:
> > Just read this on full disclosure:
> >
> > http://isec.pl/vulnerabilities/isec-0013-mremap.txt
[...]
> It is possible that the problem is exploitable. There is no known public
> exploit yet, however.
>
> 2.4.24 includes a fix for this (mm/mremap.c diff)

It names 2.2 too. Is there a fix for 2.2?

2004-01-05 18:28:37

by Petr Baudis

[permalink] [raw]
Subject: mremap() bug and 2.2?

Dear diary, on Mon, Jan 05, 2004 at 06:10:53PM CET, I got a letter,
where Diego Calleja <[email protected]> told me, that...
> El Mon, 5 Jan 2004 13:26:23 -0200 (BRST) Marcelo Tosatti <[email protected]> escribi?:
>
> > On Mon, 5 Jan 2004, Robert L. Harris wrote:
> > > Just read this on full disclosure:
> > >
> > > http://isec.pl/vulnerabilities/isec-0013-mremap.txt
> [...]
> > It is possible that the problem is exploitable. There is no known public
> > exploit yet, however.
> >
> > 2.4.24 includes a fix for this (mm/mremap.c diff)
>
> It names 2.2 too. Is there a fix for 2.2?

I'm trying to investigate that right now. In 2.2, mremap() doesn't yet
take yet the new_addr argument, therefore the "official" 2.4 fix
wouldn't apply at all to it. There are four possibilities:

* The isec.pl guys just made a mistake.

* 2.2's get_unmapped_area() can return dangerous pages for len == 0,
whilst the 2.4's get_unmapped_area() cannot. (I'm not sure, looking into
that code right now.)

* 2.4's fix is incorrect.

* I'm missing something obvious.

Anyone has an idea?

--

Petr "Pasky" Baudis
.
The brain is a wonderful organ; it starts working the moment you get up
in the morning, and does not stop until you get to work.
.
Stuff: http://pasky.or.cz/

2004-01-05 18:23:58

by Tomas Szepe

[permalink] [raw]
Subject: Re: mremap bug and 2.4?

On Jan-05 2004, Mon, 18:10 +0100
Diego Calleja <[email protected]> wrote:

> El Mon, 5 Jan 2004 13:26:23 -0200 (BRST) Marcelo Tosatti <[email protected]> escribi?:
>
> > On Mon, 5 Jan 2004, Robert L. Harris wrote:
> > > Just read this on full disclosure:
> > >
> > > http://isec.pl/vulnerabilities/isec-0013-mremap.txt
> [...]
> > It is possible that the problem is exploitable. There is no known public
> > exploit yet, however.
> >
> > 2.4.24 includes a fix for this (mm/mremap.c diff)
>
> It names 2.2 too. Is there a fix for 2.2?

Ask Alan. He's not following the kernel mailing list too closely these days.

--
Tomas Szepe <[email protected]>

2004-01-05 22:57:24

by Petr Baudis

[permalink] [raw]
Subject: mremap() bug IMHO not in 2.2

Dear diary, on Mon, Jan 05, 2004 at 07:26:07PM CET, I got a letter,
where Petr Baudis <[email protected]> told me, that...
> Dear diary, on Mon, Jan 05, 2004 at 06:10:53PM CET, I got a letter,
> where Diego Calleja <[email protected]> told me, that...
> > El Mon, 5 Jan 2004 13:26:23 -0200 (BRST) Marcelo Tosatti <[email protected]> escribi?:
> >
> > > On Mon, 5 Jan 2004, Robert L. Harris wrote:
> > > > Just read this on full disclosure:
> > > >
> > > > http://isec.pl/vulnerabilities/isec-0013-mremap.txt
> > [...]
> > > It is possible that the problem is exploitable. There is no known public
> > > exploit yet, however.
> > >
> > > 2.4.24 includes a fix for this (mm/mremap.c diff)
> >
> > It names 2.2 too. Is there a fix for 2.2?
>
> I'm trying to investigate that right now. In 2.2, mremap() doesn't yet
> take yet the new_addr argument, therefore the "official" 2.4 fix
> wouldn't apply at all to it. There are four possibilities:
>
> * The isec.pl guys just made a mistake.
>
> * 2.2's get_unmapped_area() can return dangerous pages for len == 0,
> whilst the 2.4's get_unmapped_area() cannot. (I'm not sure, looking into
> that code right now.)
>
> * 2.4's fix is incorrect.
>
> * I'm missing something obvious.

Actually, after looking at the code again, I'm now quite convinced 2.2
has not this particular vulnerability. In order for the exploit to work,
you'd need mremap() to relocate you.

But mremap() won't take newaddr argument, so you can't get yourself
relocated explicitly. And mremap() will not relocate yourself implicitly
to some random spot neither, because since newlen is zero, it will
always trigger the shrinking code, which will just munmap() and bail
out.

ihaquer, any comments? Is there something we don't know about? If not,
please correct your announcement.

Kind regards,

--

Petr "Pasky" Baudis
.
The brain is a wonderful organ; it starts working the moment you get up
in the morning, and does not stop until you get to work.
.
Stuff: http://pasky.or.cz/

2004-01-05 23:37:39

by Linus Torvalds

[permalink] [raw]
Subject: Re: mremap() bug IMHO not in 2.2



On Mon, 5 Jan 2004, Petr Baudis wrote:
>
> Actually, after looking at the code again, I'm now quite convinced 2.2
> has not this particular vulnerability. In order for the exploit to work,
> you'd need mremap() to relocate you.

Can somebody tell me (in private) what the exploit is in the first place?

The thing is, I can see the VM getting confused and creating a zero-sized
vma, and I agree that it shouldn't do that. The fix is trivial. But I
don't see where the claimed privilege escalation comes from. A zero-sized
vma isn't ever going to be _useful_, since nothing will actually find it.

So yes, it creates some confusion in the VM layer, but it all seems
benign. It's clearly a bug, but where does the security problem come in?

Linus

2004-01-06 00:08:42

by Valdis Klētnieks

[permalink] [raw]
Subject: Re: mremap() bug IMHO not in 2.2

On Mon, 05 Jan 2004 15:36:41 PST, Linus Torvalds said:

> So yes, it creates some confusion in the VM layer, but it all seems
> benign. It's clearly a bug, but where does the security problem come in?

Just guessing, but would a zero-length vma be rounded up to a page, and
thus give the attacker scribble permission on a page he shouldn't have had?


Attachments:
(No filename) (226.00 B)

2004-01-06 00:09:33

by Linus Torvalds

[permalink] [raw]
Subject: Re: mremap() bug IMHO not in 2.2



On Mon, 5 Jan 2004 [email protected] wrote:
>
> On Mon, 05 Jan 2004 15:36:41 PST, Linus Torvalds said:
>
> > So yes, it creates some confusion in the VM layer, but it all seems
> > benign. It's clearly a bug, but where does the security problem come in?
>
> Just guessing, but would a zero-length vma be rounded up to a page, and
> thus give the attacker scribble permission on a page he shouldn't have had?

Almost certainly not.

It's more likely that one of the two functions that walk through _all_ the
vma's (fork() and exit()) simply knows that a vma can never be
zero-length, and uses a

addr = vma->vm_start;
do {
...
addr += PAGE_SIZE;
} while (addr < vma->vm_end);

kind of loop - which means that either fork() or exit() would copy or
release one page too many.

The only page that should matter is likely the one at 0xC0000000, where
there can be extra complications from the fact that we use 4MB pages for
the kernel, so when fork/exit tries to walk the page table, it would get
bogus results.

Still, I'd expect that to lead to a triple fault (and thus a reboot)
rather than any elevation of privileges..

Interesting, in any case. Good catch from whoever found it.

Linus

2004-01-06 02:14:31

by Tomas Szepe

[permalink] [raw]
Subject: Re: mremap() bug IMHO not in 2.2

On Jan-05 2004, Mon, 16:08 -0800
Linus Torvalds <[email protected]> wrote:

> The only page that should matter is likely the one at 0xC0000000, where
> there can be extra complications from the fact that we use 4MB pages for
> the kernel, so when fork/exit tries to walk the page table, it would get
> bogus results.
>
> Still, I'd expect that to lead to a triple fault (and thus a reboot)
> rather than any elevation of privileges..

Hmmm... so what about non-x86?

> Interesting, in any case. Good catch from whoever found it.

Impressive, yes.

--
Tomas Szepe <[email protected]>

2004-01-06 09:22:42

by Martin Loschwitz

[permalink] [raw]
Subject: Re: mremap() bug IMHO not in 2.2

On Mon, Jan 05, 2004 at 04:08:36PM -0800, Linus Torvalds wrote:
>
>
> The only page that should matter is likely the one at 0xC0000000, where
> there can be extra complications from the fact that we use 4MB pages for
> the kernel, so when fork/exit tries to walk the page table, it would get
> bogus results.
>
This is right, the proof-of-concept exploit to be found on full-disclosure
exactly uses that memory address.

> Still, I'd expect that to lead to a triple fault (and thus a reboot)
> rather than any elevation of privileges..
>
I agree with Linus. I tested the POC-exploit here on Linux 2.4.22-rc2
and Linux 2.4.23 and everything it does is to simply reboot the box. As
for Linux 2.6.0-test9, I get something like a hangup (the same sound is
played again and again and only reset helps).

I actually am not sure whether this should be called 'local privlige
escalation' or rather 'possibility for Denial of Service attacks'.

> Interesting, in any case. Good catch from whoever found it.
>
> Linus
> -

--
.''`. Martin Loschwitz Debian GNU/Linux developer
: :' : [email protected] [email protected]
`. `'` http://www.madkiss.org/ people.debian.org/~madkiss/
`- Use Debian GNU/Linux 3.0! See http://www.debian.org/


Attachments:
(No filename) (1.25 kB)
signature.asc (189.00 B)
Digital signature
Download all attachments

2004-01-06 20:36:45

by Petr Baudis

[permalink] [raw]
Subject: mremap() bug indeed not in 2.2 (confirmed)

Dear diary, on Mon, Jan 05, 2004 at 11:55:08PM CET, I got a letter,
where Petr Baudis <[email protected]> told me, that...
> Dear diary, on Mon, Jan 05, 2004 at 07:26:07PM CET, I got a letter,
> where Petr Baudis <[email protected]> told me, that...
> > Dear diary, on Mon, Jan 05, 2004 at 06:10:53PM CET, I got a letter,
> > where Diego Calleja <[email protected]> told me, that...
> > > It names 2.2 too. Is there a fix for 2.2?
> >
> > I'm trying to investigate that right now. In 2.2, mremap() doesn't yet
> > take yet the new_addr argument, therefore the "official" 2.4 fix
> > wouldn't apply at all to it. There are four possibilities:
> >
> > * The isec.pl guys just made a mistake.
..snip..
> Actually, after looking at the code again, I'm now quite convinced 2.2
> has not this particular vulnerability. In order for the exploit to work,
> you'd need mremap() to relocate you.
..snip..
> ihaquer, any comments? Is there something we don't know about? If not,
> please correct your announcement.

It seems to be indeed so. This was just posted to bugtraq & co:

Hi,

our initial posting contains a mistake about the vulnerability of the
2.2 kernel series. Since the 2.2 kernel series doesn't support the
MREMAP_FIXED flag it is NOT vulnerable. The source states "MREMAP_FIXED
option added 5-Dec-1999" but it didn't make into recent 2.2.x. We
apologize for inconvenience.

--
Paul Starzetz
iSEC Security Research
http://isec.pl/

Here you go. And I don't need to worry about my 2.2.25-running pets ;-).

Kind regards,

--

Petr "Pasky" Baudis
.
The brain is a wonderful organ; it starts working the moment you get up
in the morning, and does not stop until you get to work.
.
Stuff: http://pasky.or.cz/