Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S265260AbUAES2h (ORCPT ); Mon, 5 Jan 2004 13:28:37 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S265258AbUAES2g (ORCPT ); Mon, 5 Jan 2004 13:28:36 -0500 Received: from ip-213-226-226-138.ji.cz ([213.226.226.138]:56046 "HELO machine.sinus.cz") by vger.kernel.org with SMTP id S265246AbUAES0K (ORCPT ); Mon, 5 Jan 2004 13:26:10 -0500 Date: Mon, 5 Jan 2004 19:26:07 +0100 From: Petr Baudis To: Diego Calleja Cc: Marcelo Tosatti , Robert.L.Harris@rdlg.net, linux-kernel@vger.kernel.org Subject: mremap() bug and 2.2? Message-ID: <20040105182607.GB2093@pasky.ji.cz> Mail-Followup-To: Diego Calleja , Marcelo Tosatti , Robert.L.Harris@rdlg.net, linux-kernel@vger.kernel.org References: <20040105145421.GC2247@rdlg.net> <20040105181053.6560e1e3.grundig@teleline.es> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20040105181053.6560e1e3.grundig@teleline.es> User-Agent: Mutt/1.4i X-message-flag: Outlook : A program to spread viri, but it can do mail too. Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1519 Lines: 45 Dear diary, on Mon, Jan 05, 2004 at 06:10:53PM CET, I got a letter, where Diego Calleja told me, that... > El Mon, 5 Jan 2004 13:26:23 -0200 (BRST) Marcelo Tosatti escribi?: > > > On Mon, 5 Jan 2004, Robert L. Harris wrote: > > > Just read this on full disclosure: > > > > > > http://isec.pl/vulnerabilities/isec-0013-mremap.txt > [...] > > It is possible that the problem is exploitable. There is no known public > > exploit yet, however. > > > > 2.4.24 includes a fix for this (mm/mremap.c diff) > > It names 2.2 too. Is there a fix for 2.2? I'm trying to investigate that right now. In 2.2, mremap() doesn't yet take yet the new_addr argument, therefore the "official" 2.4 fix wouldn't apply at all to it. There are four possibilities: * The isec.pl guys just made a mistake. * 2.2's get_unmapped_area() can return dangerous pages for len == 0, whilst the 2.4's get_unmapped_area() cannot. (I'm not sure, looking into that code right now.) * 2.4's fix is incorrect. * I'm missing something obvious. Anyone has an idea? -- Petr "Pasky" Baudis . The brain is a wonderful organ; it starts working the moment you get up in the morning, and does not stop until you get to work. . Stuff: http://pasky.or.cz/ - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/