mremap bug and 2.4?

mremap bug and 2.4?

[Robert L. Harris]

[-- Attachment #1: Type: text/plain, Size: 853 bytes --]



Just read this on full disclosure:

http://isec.pl/vulnerabilities/isec-0013-mremap.txt

Is it valid?  No working proof of concept code has been posted so I can't 
test my systems.  The article only lists 2.4 and 2.6.  Is this
2.4.16-current, etc?  Anyone have any details about versions that are
safe so I/We can determine if I need to roll a new production kernel out
again?

Thanks,
  Robert

:wq!
---------------------------------------------------------------------------
Robert L. Harris                     | GPG Key ID: E344DA3B
                                         @ x-hkp://pgp.mit.edu
DISCLAIMER:
      These are MY OPINIONS ALONE.  I speak for no-one else.

Life is not a destination, it's a journey.
  Microsoft produces 15 car pileups on the highway.
    Don't stop traffic to stand and gawk at the tragedy.

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: mremap bug and 2.4?

[Erik Mouw]

On Mon, Jan 05, 2004 at 09:54:21AM -0500, Robert L. Harris wrote:
> Just read this on full disclosure:
> 
> http://isec.pl/vulnerabilities/isec-0013-mremap.txt
> 
> Is it valid?

Yes, Marcelo released 2.4.24 an hour ago for that reason.


Erik

-- 
+-- Erik Mouw -- www.harddisk-recovery.com -- +31 70 370 12 90 --
| Lab address: Delftechpark 26, 2628 XH, Delft, The Netherlands

Re: mremap bug and 2.4?

[Marcelo Tosatti]

On Mon, 5 Jan 2004, Robert L. Harris wrote:

>
>
> Just read this on full disclosure:
>
> http://isec.pl/vulnerabilities/isec-0013-mremap.txt
>
> Is it valid?  No working proof of concept code has been posted so I can't
> test my systems.  The article only lists 2.4 and 2.6.  Is this
> 2.4.16-current, etc?  Anyone have any details about versions that are
> safe so I/We can determine if I need to roll a new production kernel out
> again?

It is possible that the problem is exploitable. There is no known public
exploit yet, however.

2.4.24 includes a fix for this (mm/mremap.c diff)

Re: mremap bug and 2.4?

[Robert L. Harris]

[-- Attachment #1: Type: text/plain, Size: 1398 bytes --]



I love you guys.  Yeah, I have to compile a new kernel, test it  and push it out
this week to 600 machines but atleast I don't have to wait 6 months and
then hope it doesn't kill all my apps.

You guys are great, THANKS!

Robert


Thus spake Marcelo Tosatti (marcelo.tosatti@cyclades.com):

> 
> 
> On Mon, 5 Jan 2004, Robert L. Harris wrote:
> 
> >
> >
> > Just read this on full disclosure:
> >
> > http://isec.pl/vulnerabilities/isec-0013-mremap.txt
> >
> > Is it valid?  No working proof of concept code has been posted so I can't
> > test my systems.  The article only lists 2.4 and 2.6.  Is this
> > 2.4.16-current, etc?  Anyone have any details about versions that are
> > safe so I/We can determine if I need to roll a new production kernel out
> > again?
> 
> It is possible that the problem is exploitable. There is no known public
> exploit yet, however.
> 
> 2.4.24 includes a fix for this (mm/mremap.c diff)

:wq!
---------------------------------------------------------------------------
Robert L. Harris                     | GPG Key ID: E344DA3B
                                         @ x-hkp://pgp.mit.edu
DISCLAIMER:
      These are MY OPINIONS ALONE.  I speak for no-one else.

Life is not a destination, it's a journey.
  Microsoft produces 15 car pileups on the highway.
    Don't stop traffic to stand and gawk at the tragedy.

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: mremap bug and 2.4?

[Diego Calleja]

El Mon, 5 Jan 2004 13:26:23 -0200 (BRST) Marcelo Tosatti <marcelo.tosatti@cyclades.com> escribió:

> On Mon, 5 Jan 2004, Robert L. Harris wrote:
> > Just read this on full disclosure:
> >
> > http://isec.pl/vulnerabilities/isec-0013-mremap.txt
[...]
> It is possible that the problem is exploitable. There is no known public
> exploit yet, however.
> 
> 2.4.24 includes a fix for this (mm/mremap.c diff)

It names 2.2 too. Is there a fix for 2.2?

Re: mremap bug and 2.4?

[Tomas Szepe]

On Jan-05 2004, Mon, 18:10 +0100
Diego Calleja <grundig@teleline.es> wrote:

> El Mon, 5 Jan 2004 13:26:23 -0200 (BRST) Marcelo Tosatti <marcelo.tosatti@cyclades.com> escribió:
> 
> > On Mon, 5 Jan 2004, Robert L. Harris wrote:
> > > Just read this on full disclosure:
> > >
> > > http://isec.pl/vulnerabilities/isec-0013-mremap.txt
> [...]
> > It is possible that the problem is exploitable. There is no known public
> > exploit yet, however.
> > 
> > 2.4.24 includes a fix for this (mm/mremap.c diff)
> 
> It names 2.2 too. Is there a fix for 2.2?

Ask Alan.  He's not following the kernel mailing list too closely these days.

-- 
Tomas Szepe <szepe@pinerecords.com>

mremap() bug and 2.2?

[Petr Baudis]

Dear diary, on Mon, Jan 05, 2004 at 06:10:53PM CET, I got a letter,
where Diego Calleja <grundig@teleline.es> told me, that...
> El Mon, 5 Jan 2004 13:26:23 -0200 (BRST) Marcelo Tosatti <marcelo.tosatti@cyclades.com> escribió:
> 
> > On Mon, 5 Jan 2004, Robert L. Harris wrote:
> > > Just read this on full disclosure:
> > >
> > > http://isec.pl/vulnerabilities/isec-0013-mremap.txt
> [...]
> > It is possible that the problem is exploitable. There is no known public
> > exploit yet, however.
> > 
> > 2.4.24 includes a fix for this (mm/mremap.c diff)
> 
> It names 2.2 too. Is there a fix for 2.2?

I'm trying to investigate that right now. In 2.2, mremap() doesn't yet
take yet the new_addr argument, therefore the "official" 2.4 fix
wouldn't apply at all to it. There are four possibilities:

* The isec.pl guys just made a mistake.

* 2.2's get_unmapped_area() can return dangerous pages for len == 0,
whilst the 2.4's get_unmapped_area() cannot. (I'm not sure, looking into
that code right now.)

* 2.4's fix is incorrect.

* I'm missing something obvious.

Anyone has an idea?

-- 
 
				Petr "Pasky" Baudis
.
The brain is a wonderful organ; it starts working the moment you get up
in the morning, and does not stop until you get to work.
.
Stuff: http://pasky.or.cz/

mremap() bug IMHO not in 2.2

[Petr Baudis]

Dear diary, on Mon, Jan 05, 2004 at 07:26:07PM CET, I got a letter,
where Petr Baudis <pasky@ucw.cz> told me, that...
> Dear diary, on Mon, Jan 05, 2004 at 06:10:53PM CET, I got a letter,
> where Diego Calleja <grundig@teleline.es> told me, that...
> > El Mon, 5 Jan 2004 13:26:23 -0200 (BRST) Marcelo Tosatti <marcelo.tosatti@cyclades.com> escribió:
> > 
> > > On Mon, 5 Jan 2004, Robert L. Harris wrote:
> > > > Just read this on full disclosure:
> > > >
> > > > http://isec.pl/vulnerabilities/isec-0013-mremap.txt
> > [...]
> > > It is possible that the problem is exploitable. There is no known public
> > > exploit yet, however.
> > > 
> > > 2.4.24 includes a fix for this (mm/mremap.c diff)
> > 
> > It names 2.2 too. Is there a fix for 2.2?
> 
> I'm trying to investigate that right now. In 2.2, mremap() doesn't yet
> take yet the new_addr argument, therefore the "official" 2.4 fix
> wouldn't apply at all to it. There are four possibilities:
> 
> * The isec.pl guys just made a mistake.
> 
> * 2.2's get_unmapped_area() can return dangerous pages for len == 0,
> whilst the 2.4's get_unmapped_area() cannot. (I'm not sure, looking into
> that code right now.)
> 
> * 2.4's fix is incorrect.
> 
> * I'm missing something obvious.

Actually, after looking at the code again, I'm now quite convinced 2.2
has not this particular vulnerability. In order for the exploit to work,
you'd need mremap() to relocate you.

But mremap() won't take newaddr argument, so you can't get yourself
relocated explicitly. And mremap() will not relocate yourself implicitly
to some random spot neither, because since newlen is zero, it will
always trigger the shrinking code, which will just munmap() and bail
out.

ihaquer, any comments? Is there something we don't know about? If not,
please correct your announcement.

Kind regards,

-- 
 
				Petr "Pasky" Baudis
.
The brain is a wonderful organ; it starts working the moment you get up
in the morning, and does not stop until you get to work.
.
Stuff: http://pasky.or.cz/

Re: mremap() bug IMHO not in 2.2

[Linus Torvalds]

On Mon, 5 Jan 2004, Petr Baudis wrote:
> 
> Actually, after looking at the code again, I'm now quite convinced 2.2
> has not this particular vulnerability. In order for the exploit to work,
> you'd need mremap() to relocate you.

Can somebody tell me (in private) what the exploit is in the first place?

The thing is, I can see the VM getting confused and creating a zero-sized 
vma, and I agree that it shouldn't do that. The fix is trivial. But I 
don't see where the claimed privilege escalation comes from. A zero-sized 
vma isn't ever going to be _useful_, since nothing will actually find it.

So yes, it creates some confusion in the VM layer, but it all seems 
benign. It's clearly a bug, but where does the security problem come in?

		Linus

Re: mremap() bug IMHO not in 2.2

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 352 bytes --]

On Mon, 05 Jan 2004 15:36:41 PST, Linus Torvalds said:

> So yes, it creates some confusion in the VM layer, but it all seems 
> benign. It's clearly a bug, but where does the security problem come in?

Just guessing, but would a zero-length vma be rounded up to a page, and
thus give the attacker scribble permission on a page he shouldn't have had?


[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: mremap() bug IMHO not in 2.2

[Linus Torvalds]

On Mon, 5 Jan 2004 Valdis.Kletnieks@vt.edu wrote:
>
> On Mon, 05 Jan 2004 15:36:41 PST, Linus Torvalds said:
> 
> > So yes, it creates some confusion in the VM layer, but it all seems 
> > benign. It's clearly a bug, but where does the security problem come in?
> 
> Just guessing, but would a zero-length vma be rounded up to a page, and
> thus give the attacker scribble permission on a page he shouldn't have had?

Almost certainly not.

It's more likely that one of the two functions that walk through _all_ the 
vma's (fork() and exit()) simply knows that a vma can never be 
zero-length, and uses a

	addr = vma->vm_start;
	do {
		...
		addr += PAGE_SIZE;
	} while (addr < vma->vm_end);

kind of loop - which means that either fork() or exit() would copy or 
release one page too many. 

The only page that should matter is likely the one at 0xC0000000, where 
there can be extra complications from the fact that we use 4MB pages for 
the kernel, so when fork/exit tries to walk the page table, it would get 
bogus results.

Still, I'd expect that to lead to a triple fault (and thus a reboot) 
rather than any elevation of privileges..

Interesting, in any case. Good catch from whoever found it.

		Linus

Re: mremap() bug IMHO not in 2.2

[Tomas Szepe]

On Jan-05 2004, Mon, 16:08 -0800
Linus Torvalds <torvalds@osdl.org> wrote:

> The only page that should matter is likely the one at 0xC0000000, where 
> there can be extra complications from the fact that we use 4MB pages for 
> the kernel, so when fork/exit tries to walk the page table, it would get 
> bogus results.
> 
> Still, I'd expect that to lead to a triple fault (and thus a reboot) 
> rather than any elevation of privileges..

Hmmm... so what about non-x86?

> Interesting, in any case. Good catch from whoever found it.

Impressive, yes.

-- 
Tomas Szepe <szepe@pinerecords.com>

Re: mremap() bug IMHO not in 2.2

[Martin Loschwitz]

[-- Attachment #1: Type: text/plain, Size: 1310 bytes --]

On Mon, Jan 05, 2004 at 04:08:36PM -0800, Linus Torvalds wrote:
> 
> 
> The only page that should matter is likely the one at 0xC0000000, where 
> there can be extra complications from the fact that we use 4MB pages for 
> the kernel, so when fork/exit tries to walk the page table, it would get 
> bogus results.
> 
This is right, the proof-of-concept exploit to be found on full-disclosure
exactly uses that memory address.

> Still, I'd expect that to lead to a triple fault (and thus a reboot) 
> rather than any elevation of privileges..
> 
I agree with Linus. I tested the POC-exploit here on Linux 2.4.22-rc2
and Linux 2.4.23 and everything it does is to simply reboot the box. As 
for Linux 2.6.0-test9, I get something like a hangup (the same sound is
played again and again and only reset helps).

I actually am not sure whether this should be called 'local privlige
escalation' or rather 'possibility for Denial of Service attacks'.

> Interesting, in any case. Good catch from whoever found it.
> 
> 		Linus
> -

-- 
  .''`.   Martin Loschwitz           Debian GNU/Linux developer
 : :'  :  madkiss@madkiss.org        madkiss@debian.org
 `. `'`   http://www.madkiss.org/    people.debian.org/~madkiss/
   `-     Use Debian GNU/Linux 3.0!  See http://www.debian.org/

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

mremap() bug indeed not in 2.2 (confirmed)

[Petr Baudis]

Dear diary, on Mon, Jan 05, 2004 at 11:55:08PM CET, I got a letter,
where Petr Baudis <pasky@ucw.cz> told me, that...
> Dear diary, on Mon, Jan 05, 2004 at 07:26:07PM CET, I got a letter,
> where Petr Baudis <pasky@ucw.cz> told me, that...
> > Dear diary, on Mon, Jan 05, 2004 at 06:10:53PM CET, I got a letter,
> > where Diego Calleja <grundig@teleline.es> told me, that...
> > > It names 2.2 too. Is there a fix for 2.2?
> > 
> > I'm trying to investigate that right now. In 2.2, mremap() doesn't yet
> > take yet the new_addr argument, therefore the "official" 2.4 fix
> > wouldn't apply at all to it. There are four possibilities:
> > 
> > * The isec.pl guys just made a mistake.
..snip..
> Actually, after looking at the code again, I'm now quite convinced 2.2
> has not this particular vulnerability. In order for the exploit to work,
> you'd need mremap() to relocate you.
..snip..
> ihaquer, any comments? Is there something we don't know about? If not,
> please correct your announcement.

It seems to be indeed so. This was just posted to bugtraq & co:

Hi,

our initial posting contains a mistake about the vulnerability of the
2.2 kernel series. Since the 2.2 kernel series doesn't support the
MREMAP_FIXED flag it is NOT vulnerable. The source states "MREMAP_FIXED
option added 5-Dec-1999" but it didn't make into recent 2.2.x. We
apologize for inconvenience.

--
Paul Starzetz
iSEC Security Research
http://isec.pl/

Here you go. And I don't need to worry about my 2.2.25-running pets ;-).

Kind regards,

-- 
 
				Petr "Pasky" Baudis
.
The brain is a wonderful organ; it starts working the moment you get up
in the morning, and does not stop until you get to work.
.
Stuff: http://pasky.or.cz/