Hello list,
I heard the news about the new exploit, and I'm wondering if 2.6.0 or
2.6.1-rc1 is affected with this mremap bug?
Thanks,
Best regards,
Markus
--
"Software is like sex, it's better when it's free."
Markus H?stbacka <midian at ihme dot org>
On Mon, 5 Jan 2004, Markus H?stbacka wrote:
>
> I heard the news about the new exploit, and I'm wondering if 2.6.0 or
> 2.6.1-rc1 is affected with this mremap bug?
Yup.
I'd actually personally prefer a stronger test than the one in 2.4.24, and
my personal preference would be for just disallowing the degenerate cases
entirely. I don't see a "mremap away" as being a valid thing to do, since
if that is what you want, why not just do a "munmap()"?
Uli cc'd, to check whether libc could ever use a zero-sized mremap()..
Linus
----
===== mm/mremap.c 1.33 vs edited =====
--- 1.33/mm/mremap.c Sat Aug 23 23:50:10 2003
+++ edited/mm/mremap.c Mon Jan 5 08:34:21 2004
@@ -315,6 +315,10 @@
old_len = PAGE_ALIGN(old_len);
new_len = PAGE_ALIGN(new_len);
+ /* Don't allow the degenerate cases */
+ if (!(old_len | new_len))
+ goto out;
+
/* new_addr is only valid if MREMAP_FIXED is specified */
if (flags & MREMAP_FIXED) {
if (new_addr & ~PAGE_MASK)
On Mon, 2004-01-05 at 18:46, Linus Torvalds wrote:
> Yup.
>
Why isn't there any security update to 2.6.0/2.6.1-rc1 out yet, then?
Yes, the patch..
But I think there's corporations who use 2.6.0 and don't read the lkml.
Just a penny for my thoughts..
Regards,
Markus
> I'd actually personally prefer a stronger test than the one in 2.4.24, and
> my personal preference would be for just disallowing the degenerate cases
> entirely. I don't see a "mremap away" as being a valid thing to do, since
> if that is what you want, why not just do a "munmap()"?
>
> Uli cc'd, to check whether libc could ever use a zero-sized mremap()..
>
> Linus
--
"Software is like sex, it's better when it's free."
Markus H?stbacka <midian at ihme dot org>
On Mon, 5 Jan 2004, Markus H?stbacka wrote:
>
> Why isn't there any security update to 2.6.0/2.6.1-rc1 out yet, then?
Because nobody actually contacted me about the problem and I read about it
on linux-kernel like everybody else? Because I just got up and created the
patch? And because nobody has an exploit yet, and one may be hard or
impossible to create? And because people who care about these things tend
to not update to x.0 kernels anyway?
> But I think there's corporations who use 2.6.0 and don't read the lkml.
They'll get a 2.6.1 soonish. The patch is in the current BK tree, will be
in -rc2, and will be in 2.6.1. Let's just make sure we don't screw up the
release due to being too much in a hurry either..
Linus
On Mon, 2004-01-05 at 20:31, Linus Torvalds wrote:
> Because nobody actually contacted me about the problem and I read about it
> on linux-kernel like everybody else? Because I just got up and created the
> patch? And because nobody has an exploit yet, and one may be hard or
> impossible to create? And because people who care about these things tend
> to not update to x.0 kernels anyway?
>
Ok, I see your point. though, even that I care about these things, I
updated one of my servers to development tree somewhere at 2.5.70~.
The reason for me was the major performance difference.
> > But I think there's corporations who use 2.6.0 and don't read the lkml.
>
> They'll get a 2.6.1 soonish. The patch is in the current BK tree, will be
> in -rc2, and will be in 2.6.1. Let's just make sure we don't screw up the
> release due to being too much in a hurry either..
>
Yes, better give it time and not rush.
Thanks for your time.
--
"Software is like sex, it's better when it's free."
Markus H?stbacka <midian at ihme dot org>
On Mon, Jan 05, 2004 at 10:31:02AM -0800, Linus Torvalds <[email protected]> wrote:
[snip]
> And because nobody has an exploit yet, and one may be hard or
> impossible to create?
There _is_ an exploit: http://isec.pl/vulnerabilities/isec-0013-mremap.txt
"Since no special privileges are required to use the mremap(2) system
call any process may misuse its unexpected behavior to disrupt the kernel
memory management subsystem. Proper exploitation of this vulnerability may
lead to local privilege escalation including execution of arbitrary code
with kernel level access. Proof-of-concept exploit code has been created
and successfully tested giving UID 0 shell on vulnerable systems."
Cheers,
GCS
On Jan-05 2004, Mon, 20:38 +0100
GCS <[email protected]> wrote:
> There _is_ an exploit: http://isec.pl/vulnerabilities/isec-0013-mremap.txt
> "Since no special privileges are required to use the mremap(2) system
...
I will not believe the claim until I've seen the code.
--
Tomas Szepe <[email protected]>
On Mon, 2004-01-05 at 23:48, Tomas Szepe wrote:
> On Jan-05 2004, Mon, 20:38 +0100
> GCS <[email protected]> wrote:
>
> > There _is_ an exploit: http://isec.pl/vulnerabilities/isec-0013-mremap.txt
> > "Since no special privileges are required to use the mremap(2) system
> ...
>
> I will not believe the claim until I've seen the code.
Not sure if this works or not.
According to a slashdot comment this is proof of concept code.
http://linuxfromscratch.org/~devine/mremap_poc.c
Regards,
Bastiaan
At least it hangs a redhat 7.2 kernel
I will test it further tomorrow, but it looks like a good proof to me
Best regards
Max
On Mon, 2004-01-05 at 18:23, Bastiaan Spandaw wrote:
> On Mon, 2004-01-05 at 23:48, Tomas Szepe wrote:
> > On Jan-05 2004, Mon, 20:38 +0100
> > GCS <[email protected]> wrote:
> >
> > > There _is_ an exploit: http://isec.pl/vulnerabilities/isec-0013-mremap.txt
> > > "Since no special privileges are required to use the mremap(2) system
> > ...
> >
> > I will not believe the claim until I've seen the code.
>
> Not sure if this works or not.
> According to a slashdot comment this is proof of concept code.
>
> http://linuxfromscratch.org/~devine/mremap_poc.c
>
> Regards,
>
> Bastiaan
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
--
Linux garaged 2.4.24 #2 SMP Mon Jan 5 17:41:16 CST 2004 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GS/ d-s:a-28C++ILHA+++P+L++>+++E---W++N*o--K-w++++O-M--V--PS+PEY--PGP++t5XRtv++b++DI--D-G++e++h-r+y**
------END GEEK CODE BLOCK------
gpg-key: http://garaged.homeip.net/gpg-key.txt
On Tue, 6 Jan 2004, Max Valdez wrote:
> At least it hangs a redhat 7.2 kernel
>
> I will test it further tomorrow, but it looks like a good proof to me
>
> Best regards
> Max
> On Mon, 2004-01-05 at 18:23, Bastiaan Spandaw wrote:
> > On Mon, 2004-01-05 at 23:48, Tomas Szepe wrote:
> > > On Jan-05 2004, Mon, 20:38 +0100
> > > GCS <[email protected]> wrote:
> > >
> > > > There _is_ an exploit:
> http://isec.pl/vulnerabilities/isec-0013-mremap.txt
> > > > "Since no special privileges are required to use the mremap(2)
> system
> > > ...
> > >
> > > I will not believe the claim until I've seen the code.
> >
> > Not sure if this works or not.
> > According to a slashdot comment this is proof of concept code.
> >
> > http://linuxfromscratch.org/~devine/mremap_poc.c
> >
> > Regards,
> >
> > Bastiaan
> >
On my box that program is a very effective 'instant reboot'.
The instant I ran it from a xterm my screen went black, the music I was
listening to from a CD stopped and the machine rebooted.
The running kernel was 2.6.1-rc1-mm1
- Jesper Juhl
On Tue, 6 Jan 2004 02:25:36 +0100 (CET)
Jesper Juhl <[email protected]> wrote:
>
> On Tue, 6 Jan 2004, Max Valdez wrote:
>
> > At least it hangs a redhat 7.2 kernel
> >
> > I will test it further tomorrow, but it looks like a good proof to me
> On my box that program is a very effective 'instant reboot'.
>
> The instant I ran it from a xterm my screen went black, the music I was
> listening to from a CD stopped and the machine rebooted.
> The running kernel was 2.6.1-rc1-mm1
do nothing in my laptop.
[hugang@:build]$ ./mremap_poc
Trace/breakpoint trap
powerpc G4, PowerBook G4, 2.6.0-test11-wli + laptop mode path
--
Hu Gang / Steve
RLU# : 204016 [1999] (Registered Linux user)
GPG Public Key: http://soulinfo.com/~hugang/HuGang.asc
On Tue, 6 Jan 2004 09:31:45 +0800
Hugang <[email protected]> wrote:
> do nothing in my laptop.
>
> [hugang@:build]$ ./mremap_poc
> Trace/breakpoint trap
>
> powerpc G4, PowerBook G4, 2.6.0-test11-wli + laptop mode path
Sorry, My fault, it let my kernel oops.
kernel BUG in exit_mmap at mm/mmap.c:1468!
Oops: Exception in kernel mode, sig: 5 [#14]
NIP: C00490E0 LR: C00490B0 SP: C094DED0 REGS: c094de20 TRAP: 0700 Not tainted
MSR: 00029032 EE: 1 PR: 0 FP: 0 ME: 1 IR/DR: 11
TASK = c1c83160[2783] 'mremap_poc' Last syscall: 1
GPR00: 00000001 C094DED0 C1C83160 0000000A 00000000 0A89DFFC C01C6740 00009032
GPR08: 0000AF9F C01F247C FFFFFFCB C01F0000 82000002 100187B8 00000000 100D7B78
GPR16: 100D6BE8 10060000 10060000 00000000 00000000 100C8558 100D6BE8 00000000
GPR24: 00000000 0FFE6BB0 0FFD9590 0FFD9590 00000000 00000000 C1C83160 C95384C0
Call trace:
[c0016914] mmput+0x7c/0xbc
[c001a9e8] do_exit+0x19c/0x380
[c001ac08] do_group_exit+0x0/0x98
[c000602c] ret_from_syscall+0x0/0x4c
--
Hu Gang / Steve
RLU# : 204016 [1999] (Registered Linux user)
GPG Public Key: http://soulinfo.com/~hugang/HuGang.asc
--- Jesper Juhl <[email protected]> a ?crit : >
> On Tue, 6 Jan 2004, Max Valdez wrote:
>
> > At least it hangs a redhat 7.2 kernel
> >
> > I will test it further tomorrow, but it looks like a good
> proof to me
> >
> > > >
> > > > > There _is_ an exploit:
> > http://isec.pl/vulnerabilities/isec-0013-mremap.txt
> > > > > "Since no special privileges are required to use the
> mremap(2)
> > system
> > > > ...
> > > >
> > > > I will not believe the claim until I've seen the code.
> > >
> > > Not sure if this works or not.
> > > According to a slashdot comment this is proof of concept
> code.
> > >
> > > http://linuxfromscratch.org/~devine/mremap_poc.c
> > >
> > > Regards,
> > >
> > > Bastiaan
> > >
>
> On my box that program is a very effective 'instant reboot'.
>
on mine just a segfault :-)
sony@grinch -04:47:32- 0 jobs, ver 2.05b.0 3
/~/schule $ gcc -o mremap_poc mremap_poc.c
sony@grinch -04:47:35- 0 jobs, ver 2.05b.0 3
/~/schule $ ./mremap_poc
Segmentation fault
> The instant I ran it from a xterm my screen went black, the
> music I was
> listening to from a CD stopped and the machine rebooted.
> The running kernel was 2.6.1-rc1-mm1
>
maybe you were running the program as root ?
>
> - Jesper Juhl
>
> -
Calin
=====
--
A mouse is a device used to point at
the xterm you want to type in.
Kim Alm on a.s.r.
_________________________________________________________________
Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en fran?ais !
Yahoo! Mail : http://fr.mail.yahoo.com
On Tue, 6 Jan 2004, [iso-8859-1] szonyi calin wrote:
> --- Jesper Juhl <[email protected]> a ?crit : >
> > On Tue, 6 Jan 2004, Max Valdez wrote:
> >
> > > At least it hangs a redhat 7.2 kernel
> > >
> > > I will test it further tomorrow, but it looks like a good
> > proof to me
> > >
> > > > >
> > > > > > There _is_ an exploit:
> > > http://isec.pl/vulnerabilities/isec-0013-mremap.txt
> > > > > > "Since no special privileges are required to use the
> > mremap(2)
> > > system
> > > > > ...
> > > > >
> > > > > I will not believe the claim until I've seen the code.
> > > >
> > > > Not sure if this works or not.
> > > > According to a slashdot comment this is proof of concept
> > code.
> > > >
> > > > http://linuxfromscratch.org/~devine/mremap_poc.c
> > > >
> > > > Regards,
> > > >
> > > > Bastiaan
> > > >
> >
> > On my box that program is a very effective 'instant reboot'.
> >
>
> on mine just a segfault :-)
> sony@grinch -04:47:32- 0 jobs, ver 2.05b.0 3
> /~/schule $ gcc -o mremap_poc mremap_poc.c
> sony@grinch -04:47:35- 0 jobs, ver 2.05b.0 3
> /~/schule $ ./mremap_poc
> Segmentation fault
>
> > The instant I ran it from a xterm my screen went black, the
> > music I was
> > listening to from a CD stopped and the machine rebooted.
> > The running kernel was 2.6.1-rc1-mm1
> >
>
> maybe you were running the program as root ?
I tried it on 2.6.0 as a regular user and got an instant reboot.
stracing it showed the faults and the system was unusable after that :)
~jon
--- Jonathan Higdon <[email protected]> a ?crit : >
>
> On Tue, 6 Jan 2004, [iso-8859-1] szonyi calin wrote:
>
> > >
> > > On my box that program is a very effective 'instant
> reboot'.
> > >
> >
> > on mine just a segfault :-)
> > sony@grinch -04:47:32- 0 jobs, ver 2.05b.0 3
> > /~/schule $ gcc -o mremap_poc mremap_poc.c
> > sony@grinch -04:47:35- 0 jobs, ver 2.05b.0 3
> > /~/schule $ ./mremap_poc
> > Segmentation fault
> >
correction
if it is compileg withj -g and statically linked and run from
a gdb session it hard locks the machine. Only a hard reset helps
if it's run from a shell -> segfaults :-)
so at least on my system an atacker needs gdb to crash the
machine :-)
> > > The instant I ran it from a xterm my screen went black,
> the
> > > music I was
> > > listening to from a CD stopped and the machine rebooted.
> > > The running kernel was 2.6.1-rc1-mm1
> > >
> >
> > maybe you were running the program as root ?
>
> I tried it on 2.6.0 as a regular user and got an instant
> reboot.
> stracing it showed the faults and the system was unusable
> after that :)
>
> ~jon
=====
--
A mouse is a device used to point at
the xterm you want to type in.
Kim Alm on a.s.r.
_________________________________________________________________
Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en fran?ais !
Yahoo! Mail : http://fr.mail.yahoo.com
On Tue, Jan 06, 2004 at 01:23:44AM +0100, Bastiaan Spandaw wrote:
...
> Not sure if this works or not.
> According to a slashdot comment this is proof of concept code.
>
> http://linuxfromscratch.org/~devine/mremap_poc.c
A few tests, all on IA32, all as non-root user:
RedHat 5.2, (vanilla 2.0.39) = no effect
RedHat 6.2, (vanilla 2.4.18) = instant reboot
RedHat 7.2, (redhat 2.4.9-7) = instant reboot
Debian 2.2, (vanilla 2.2.19) = no effect
SuSE 7.3, (suse 2.4.10-4GB) = instant reboot
Cheers,
/ jakob
On Tue, 6 Jan 2004 07:39:06 +0100
Jakob Oestergaard <[email protected]> wrote:
> On Tue, Jan 06, 2004 at 01:23:44AM +0100, Bastiaan Spandaw wrote:
> ...
> > Not sure if this works or not.
> > According to a slashdot comment this is proof of concept code.
> >
> > http://linuxfromscratch.org/~devine/mremap_poc.c
>
> A few tests, all on IA32, all as non-root user:
>
> RedHat 5.2, (vanilla 2.0.39) = no effect
> RedHat 6.2, (vanilla 2.4.18) = instant reboot
> RedHat 7.2, (redhat 2.4.9-7) = instant reboot
> Debian 2.2, (vanilla 2.2.19) = no effect
> SuSE 7.3, (suse 2.4.10-4GB) = instant reboot
On my 2.4.22 (slackware 9.1 default) and on my 2.6.0-test11 (vanilla) with IA32
worked fine.
--
Ivan "kratorius" Giuliani :: PGP Public Key ID:
http://kratorius.cjb.net :: 0x840F429D @ keyserver.linux.it
LUGBari Member ::
Linus Torvalds wrote:
> I'd actually personally prefer a stronger test than the one in 2.4.24, and
> my personal preference would be for just disallowing the degenerate cases
> entirely. I don't see a "mremap away" as being a valid thing to do, since
> if that is what you want, why not just do a "munmap()"?
>
I belive your fix isn't correct.
Should that test be:
if(!old_len || !new_len)
goto out;
?
The difference is when old_len!=0 and new_len==0:
With the fix that Marcelo merged, mremap does nothing and returns -1.
With your fix, mremap does do_munmap and then returns -1.
Michal Schmidt