linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: linux-os <linux-os@chaos.analogic.com>
To: Marcelo Tosatti <marcelo.tosatti@cyclades.com>
Cc: Lukasz Trabinski <lukasz@wsisiz.edu.pl>,
	Linux kernel <linux-kernel@vger.kernel.org>
Subject: Re: uselib()  & 2.6.X?
Date: Fri, 7 Jan 2005 15:27:05 -0500 (EST)	[thread overview]
Message-ID: <Pine.LNX.4.61.0501071519330.21405@chaos.analogic.com> (raw)
In-Reply-To: <20050107170712.GK29176@logos.cnet>

On Fri, 7 Jan 2005, Marcelo Tosatti wrote:

> On Fri, Jan 07, 2005 at 04:59:22PM +0100, Lukasz Trabinski wrote:
>> Hello
>>
>>
>> http://isec.pl/vulnerabilities/isec-0021-uselib.txt
>>
>> [...]
>> Locally  exploitable  flaws  have  been found in the Linux binary format
>> loaders'  uselib()  functions  that  allow  local  users  to  gain  root
>> privileges.
>> [...]
>> Version:   2.4 up to and including 2.4.29-rc2, 2.6 up to and including 2.6.10
>> [...]
>>
>> It's was fixed by Marcelo on 2.4.29-rc1. Thank's :)
>> What about 2.6.X? Is any patch available? I don't see any changes
>> around binfmt_elf in 2.6.10-bk10?
>
> 2.6.10-ac contains a version of the fix.
>
> Attached is what going to be merged in mainline, most likely.
>
>

FYI, the provided source-code won't build with the 2.6.x kernel
because one of the structures is no longer defined. However,
building on 2.4.20 and attempting to exploit the alleged bug
results in:

Script started on Fri 07 Jan 2005 03:22:24 PM EST
LINUX> ./isec

[+] SLAB cleanup\r    child 1 VMAs 0
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xef800000 - 0xffffd000

[-] FAILED: try again (No such device) 
Killed
LINUX> ./isec

[+] SLAB cleanup\r    child 1 VMAs 0
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xef800000 - 0xffffd000

[-] FAILED: try again (No such device) 
Killed
LINUX> exit

Script done on Fri 07 Jan 2005 03:22:45 PM EST


.... Nothing. It just doesn't do what it's claimed to do....
So, maybe the exploit __can__ happen under rare circumstances,
but I wouldn't worry too much about it at the present time.

Cheers,
Dick Johnson
Penguin : Linux version 2.6.10 on an i686 machine (5537.79 BogoMips).
  Notice : All mail here is now cached for review by Dictator Bush.
                  98.36% of all statistics are fiction.

  reply	other threads:[~2005-01-07 20:30 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-01-07 15:59 uselib() & 2.6.X? Lukasz Trabinski
2005-01-07 17:07 ` Marcelo Tosatti
2005-01-07 20:27   ` linux-os [this message]
2005-01-07 22:29     ` Athanasius
2005-01-07 22:49   ` Alan Cox
2005-01-08  0:15     ` Linus Torvalds
2005-01-07 22:12       ` Marcelo Tosatti
2005-01-08 18:46         ` Linus Torvalds
2005-01-08 18:28           ` Marcelo Tosatti
2005-01-09  1:38             ` Linus Torvalds
2005-01-09 11:06               ` Marcelo Tosatti
2005-01-10  8:34                 ` Frank Steiner
2005-01-10 16:51                   ` Marcelo Tosatti
2005-01-10 18:28                   ` Alan Cox
2005-01-11  7:49                     ` Frank Steiner
2005-01-08 21:07           ` Andreas Schwab
2005-01-08 22:30             ` Barry K. Nathan
2005-01-08 23:21             ` Andi Kleen
2005-01-08 23:30               ` Alan Cox
2005-01-09  0:57                 ` Andi Kleen
2005-01-09  0:49             ` Andries Brouwer
2005-01-09  2:21               ` Jesper Juhl
2005-01-09  2:17                 ` Andries Brouwer
2005-01-08 21:47           ` Alan Cox
2005-01-11 22:51           ` [PATCH] make uselib configurable (was Re: uselib() & 2.6.X?) Barry K. Nathan
2005-01-11 23:42             ` Jesper Juhl
2005-01-11 23:59             ` Andries Brouwer
2005-01-12  1:06               ` Jesper Juhl
2005-01-12  1:18                 ` David Lang
2005-01-11 22:36                   ` Marcelo Tosatti
2005-01-12  2:32                     ` Barry K. Nathan
2005-01-12  0:56                       ` Marcelo Tosatti
2005-01-12  6:10                         ` Barry K. Nathan
2005-01-12 16:47                           ` Adrian Bunk
2005-01-12 17:10                             ` Barry K. Nathan
2005-01-12 20:16                     ` Matt Mackall
2005-01-12  2:12               ` Barry K. Nathan
2005-01-12  2:23                 ` David Lang
2005-01-12  2:30                 ` Adrian Bunk
2005-01-12  5:11                 ` Stephen Pollei
2005-01-12 16:54                   ` Adrian Bunk
2005-01-12  7:58               ` Christoph Hellwig

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Pine.LNX.4.61.0501071519330.21405@chaos.analogic.com \
    --to=linux-os@chaos.analogic.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-os@analogic.com \
    --cc=lukasz@wsisiz.edu.pl \
    --cc=marcelo.tosatti@cyclades.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).