From: linux-os <linux-os@chaos.analogic.com>
To: Marcelo Tosatti <marcelo.tosatti@cyclades.com>
Cc: Lukasz Trabinski <lukasz@wsisiz.edu.pl>,
Linux kernel <linux-kernel@vger.kernel.org>
Subject: Re: uselib() & 2.6.X?
Date: Fri, 7 Jan 2005 15:27:05 -0500 (EST) [thread overview]
Message-ID: <Pine.LNX.4.61.0501071519330.21405@chaos.analogic.com> (raw)
In-Reply-To: <20050107170712.GK29176@logos.cnet>
On Fri, 7 Jan 2005, Marcelo Tosatti wrote:
> On Fri, Jan 07, 2005 at 04:59:22PM +0100, Lukasz Trabinski wrote:
>> Hello
>>
>>
>> http://isec.pl/vulnerabilities/isec-0021-uselib.txt
>>
>> [...]
>> Locally exploitable flaws have been found in the Linux binary format
>> loaders' uselib() functions that allow local users to gain root
>> privileges.
>> [...]
>> Version: 2.4 up to and including 2.4.29-rc2, 2.6 up to and including 2.6.10
>> [...]
>>
>> It's was fixed by Marcelo on 2.4.29-rc1. Thank's :)
>> What about 2.6.X? Is any patch available? I don't see any changes
>> around binfmt_elf in 2.6.10-bk10?
>
> 2.6.10-ac contains a version of the fix.
>
> Attached is what going to be merged in mainline, most likely.
>
>
FYI, the provided source-code won't build with the 2.6.x kernel
because one of the structures is no longer defined. However,
building on 2.4.20 and attempting to exploit the alleged bug
results in:
Script started on Fri 07 Jan 2005 03:22:24 PM EST
LINUX> ./isec
[+] SLAB cleanup\r child 1 VMAs 0
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xef800000 - 0xffffd000
[-] FAILED: try again (No such device)
Killed
LINUX> ./isec
[+] SLAB cleanup\r child 1 VMAs 0
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xef800000 - 0xffffd000
[-] FAILED: try again (No such device)
Killed
LINUX> exit
Script done on Fri 07 Jan 2005 03:22:45 PM EST
.... Nothing. It just doesn't do what it's claimed to do....
So, maybe the exploit __can__ happen under rare circumstances,
but I wouldn't worry too much about it at the present time.
Cheers,
Dick Johnson
Penguin : Linux version 2.6.10 on an i686 machine (5537.79 BogoMips).
Notice : All mail here is now cached for review by Dictator Bush.
98.36% of all statistics are fiction.
next prev parent reply other threads:[~2005-01-07 20:30 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-07 15:59 uselib() & 2.6.X? Lukasz Trabinski
2005-01-07 17:07 ` Marcelo Tosatti
2005-01-07 20:27 ` linux-os [this message]
2005-01-07 22:29 ` Athanasius
2005-01-07 22:49 ` Alan Cox
2005-01-08 0:15 ` Linus Torvalds
2005-01-07 22:12 ` Marcelo Tosatti
2005-01-08 18:46 ` Linus Torvalds
2005-01-08 18:28 ` Marcelo Tosatti
2005-01-09 1:38 ` Linus Torvalds
2005-01-09 11:06 ` Marcelo Tosatti
2005-01-10 8:34 ` Frank Steiner
2005-01-10 16:51 ` Marcelo Tosatti
2005-01-10 18:28 ` Alan Cox
2005-01-11 7:49 ` Frank Steiner
2005-01-08 21:07 ` Andreas Schwab
2005-01-08 22:30 ` Barry K. Nathan
2005-01-08 23:21 ` Andi Kleen
2005-01-08 23:30 ` Alan Cox
2005-01-09 0:57 ` Andi Kleen
2005-01-09 0:49 ` Andries Brouwer
2005-01-09 2:21 ` Jesper Juhl
2005-01-09 2:17 ` Andries Brouwer
2005-01-08 21:47 ` Alan Cox
2005-01-11 22:51 ` [PATCH] make uselib configurable (was Re: uselib() & 2.6.X?) Barry K. Nathan
2005-01-11 23:42 ` Jesper Juhl
2005-01-11 23:59 ` Andries Brouwer
2005-01-12 1:06 ` Jesper Juhl
2005-01-12 1:18 ` David Lang
2005-01-11 22:36 ` Marcelo Tosatti
2005-01-12 2:32 ` Barry K. Nathan
2005-01-12 0:56 ` Marcelo Tosatti
2005-01-12 6:10 ` Barry K. Nathan
2005-01-12 16:47 ` Adrian Bunk
2005-01-12 17:10 ` Barry K. Nathan
2005-01-12 20:16 ` Matt Mackall
2005-01-12 2:12 ` Barry K. Nathan
2005-01-12 2:23 ` David Lang
2005-01-12 2:30 ` Adrian Bunk
2005-01-12 5:11 ` Stephen Pollei
2005-01-12 16:54 ` Adrian Bunk
2005-01-12 7:58 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.61.0501071519330.21405@chaos.analogic.com \
--to=linux-os@chaos.analogic.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-os@analogic.com \
--cc=lukasz@wsisiz.edu.pl \
--cc=marcelo.tosatti@cyclades.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).