* (no subject)
@ 2002-06-24 5:49 pah
2002-06-24 7:34 ` your mail Zwane Mwaikambo
0 siblings, 1 reply; 2+ messages in thread
From: pah @ 2002-06-24 5:49 UTC (permalink / raw)
To: linux-kernel
Hello,
I've just found a bug (an unsignificant bug) in the panic() function!
There's a possible buffer overflow if the formated string exceeds
1024 characters (I think that the problem is in all kernel releases).
The problem is in the use of vsprintf() insted of vsnprintf()!
I know that this doesn't compromise any exploitation by an uid
different than zero, but should be fixed in the case of panic()'s arguments
exceeds the buffer limit (probably by an lkm or something like that) and
cause (probably) a system crash.
Here is the exploitation by an lkm:
/************** LKM ***********/
/*
* panic()'s buffer overflow test
*
* By: Pedro Hortas
* E-Mail: pah@promiscua.org
*
*/
#define __KERNEL__
#define MODULE
#define _LOOSE_KERNEL_NAMES
#include <linux/module.h>
#include <linux/kernel.h>
int init_module(void) {
char foo[2048];
int i;
for (i = 0; i < sizeof(foo); i++)
foo[i] = '\x90';
foo[i - 1] = 0;
panic("Overflowing panic()'s buffer: %s\n", foo);
return 0;
}
int cleanup_module(void) {
return 0;
}
/************* END OF LKM ************/
And here is the patch to fix the problem:
/************* PATCH **************/
diff -urP linux/kernel/panic.c linux-patched/kernel/panic.c
--- linux/kernel/panic.c Sun Sep 30 20:26:08 2001
+++ linux-patched/kernel/panic.c Mon Jun 24 06:18:12 2002
@@ -51,7 +51,7 @@
bust_spinlocks(1);
va_start(args, fmt);
- vsprintf(buf, fmt, args);
+ vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
printk(KERN_EMERG "Kernel panic: %s\n",buf);
if (in_interrupt())
/************** END OF PATCH *************/
Pedro Hortas
pah@promiscua.org
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: your mail
2002-06-24 5:49 pah
@ 2002-06-24 7:34 ` Zwane Mwaikambo
0 siblings, 0 replies; 2+ messages in thread
From: Zwane Mwaikambo @ 2002-06-24 7:34 UTC (permalink / raw)
To: pah; +Cc: linux-kernel
On 24 Jun 2002 pah@promiscua.org wrote:
> I've just found a bug (an unsignificant bug) in the panic() function!
> There's a possible buffer overflow if the formated string exceeds
> 1024 characters (I think that the problem is in all kernel releases).
> The problem is in the use of vsprintf() insted of vsnprintf()!
>
> I know that this doesn't compromise any exploitation by an uid
> different than zero, but should be fixed in the case of panic()'s arguments
> exceeds the buffer limit (probably by an lkm or something like that) and
> cause (probably) a system crash.
>
In that case there are quite a number of other places in the kernel which
can be 'exploited' in various ways.
Cheers,
Zwane
--
http://function.linuxpower.ca
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2002-06-24 9:11 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-06-24 5:49 pah
2002-06-24 7:34 ` your mail Zwane Mwaikambo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.