* mremap bug and 2.4? @ 2004-01-05 14:54 Robert L. Harris 2004-01-05 15:21 ` Erik Mouw 2004-01-05 15:26 ` Marcelo Tosatti 0 siblings, 2 replies; 14+ messages in thread From: Robert L. Harris @ 2004-01-05 14:54 UTC (permalink / raw) To: Linux-Kernel [-- Attachment #1: Type: text/plain, Size: 853 bytes --] Just read this on full disclosure: http://isec.pl/vulnerabilities/isec-0013-mremap.txt Is it valid? No working proof of concept code has been posted so I can't test my systems. The article only lists 2.4 and 2.6. Is this 2.4.16-current, etc? Anyone have any details about versions that are safe so I/We can determine if I need to roll a new production kernel out again? Thanks, Robert :wq! --------------------------------------------------------------------------- Robert L. Harris | GPG Key ID: E344DA3B @ x-hkp://pgp.mit.edu DISCLAIMER: These are MY OPINIONS ALONE. I speak for no-one else. Life is not a destination, it's a journey. Microsoft produces 15 car pileups on the highway. Don't stop traffic to stand and gawk at the tragedy. [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: mremap bug and 2.4? 2004-01-05 14:54 mremap bug and 2.4? Robert L. Harris @ 2004-01-05 15:21 ` Erik Mouw 2004-01-05 15:26 ` Marcelo Tosatti 1 sibling, 0 replies; 14+ messages in thread From: Erik Mouw @ 2004-01-05 15:21 UTC (permalink / raw) To: Linux-Kernel On Mon, Jan 05, 2004 at 09:54:21AM -0500, Robert L. Harris wrote: > Just read this on full disclosure: > > http://isec.pl/vulnerabilities/isec-0013-mremap.txt > > Is it valid? Yes, Marcelo released 2.4.24 an hour ago for that reason. Erik -- +-- Erik Mouw -- www.harddisk-recovery.com -- +31 70 370 12 90 -- | Lab address: Delftechpark 26, 2628 XH, Delft, The Netherlands ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: mremap bug and 2.4? 2004-01-05 14:54 mremap bug and 2.4? Robert L. Harris 2004-01-05 15:21 ` Erik Mouw @ 2004-01-05 15:26 ` Marcelo Tosatti 2004-01-05 15:42 ` Robert L. Harris 2004-01-05 17:10 ` Diego Calleja 1 sibling, 2 replies; 14+ messages in thread From: Marcelo Tosatti @ 2004-01-05 15:26 UTC (permalink / raw) To: Robert L. Harris; +Cc: Linux-Kernel On Mon, 5 Jan 2004, Robert L. Harris wrote: > > > Just read this on full disclosure: > > http://isec.pl/vulnerabilities/isec-0013-mremap.txt > > Is it valid? No working proof of concept code has been posted so I can't > test my systems. The article only lists 2.4 and 2.6. Is this > 2.4.16-current, etc? Anyone have any details about versions that are > safe so I/We can determine if I need to roll a new production kernel out > again? It is possible that the problem is exploitable. There is no known public exploit yet, however. 2.4.24 includes a fix for this (mm/mremap.c diff) ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: mremap bug and 2.4? 2004-01-05 15:26 ` Marcelo Tosatti @ 2004-01-05 15:42 ` Robert L. Harris 2004-01-05 17:10 ` Diego Calleja 1 sibling, 0 replies; 14+ messages in thread From: Robert L. Harris @ 2004-01-05 15:42 UTC (permalink / raw) To: Marcelo Tosatti; +Cc: Linux-Kernel [-- Attachment #1: Type: text/plain, Size: 1398 bytes --] I love you guys. Yeah, I have to compile a new kernel, test it and push it out this week to 600 machines but atleast I don't have to wait 6 months and then hope it doesn't kill all my apps. You guys are great, THANKS! Robert Thus spake Marcelo Tosatti (marcelo.tosatti@cyclades.com): > > > On Mon, 5 Jan 2004, Robert L. Harris wrote: > > > > > > > Just read this on full disclosure: > > > > http://isec.pl/vulnerabilities/isec-0013-mremap.txt > > > > Is it valid? No working proof of concept code has been posted so I can't > > test my systems. The article only lists 2.4 and 2.6. Is this > > 2.4.16-current, etc? Anyone have any details about versions that are > > safe so I/We can determine if I need to roll a new production kernel out > > again? > > It is possible that the problem is exploitable. There is no known public > exploit yet, however. > > 2.4.24 includes a fix for this (mm/mremap.c diff) :wq! --------------------------------------------------------------------------- Robert L. Harris | GPG Key ID: E344DA3B @ x-hkp://pgp.mit.edu DISCLAIMER: These are MY OPINIONS ALONE. I speak for no-one else. Life is not a destination, it's a journey. Microsoft produces 15 car pileups on the highway. Don't stop traffic to stand and gawk at the tragedy. [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: mremap bug and 2.4? 2004-01-05 15:26 ` Marcelo Tosatti 2004-01-05 15:42 ` Robert L. Harris @ 2004-01-05 17:10 ` Diego Calleja 2004-01-05 18:23 ` Tomas Szepe 2004-01-05 18:26 ` mremap() bug and 2.2? Petr Baudis 1 sibling, 2 replies; 14+ messages in thread From: Diego Calleja @ 2004-01-05 17:10 UTC (permalink / raw) To: Marcelo Tosatti; +Cc: Robert.L.Harris, linux-kernel El Mon, 5 Jan 2004 13:26:23 -0200 (BRST) Marcelo Tosatti <marcelo.tosatti@cyclades.com> escribió: > On Mon, 5 Jan 2004, Robert L. Harris wrote: > > Just read this on full disclosure: > > > > http://isec.pl/vulnerabilities/isec-0013-mremap.txt [...] > It is possible that the problem is exploitable. There is no known public > exploit yet, however. > > 2.4.24 includes a fix for this (mm/mremap.c diff) It names 2.2 too. Is there a fix for 2.2? ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: mremap bug and 2.4? 2004-01-05 17:10 ` Diego Calleja @ 2004-01-05 18:23 ` Tomas Szepe 2004-01-05 18:26 ` mremap() bug and 2.2? Petr Baudis 1 sibling, 0 replies; 14+ messages in thread From: Tomas Szepe @ 2004-01-05 18:23 UTC (permalink / raw) To: Diego Calleja; +Cc: linux-kernel On Jan-05 2004, Mon, 18:10 +0100 Diego Calleja <grundig@teleline.es> wrote: > El Mon, 5 Jan 2004 13:26:23 -0200 (BRST) Marcelo Tosatti <marcelo.tosatti@cyclades.com> escribió: > > > On Mon, 5 Jan 2004, Robert L. Harris wrote: > > > Just read this on full disclosure: > > > > > > http://isec.pl/vulnerabilities/isec-0013-mremap.txt > [...] > > It is possible that the problem is exploitable. There is no known public > > exploit yet, however. > > > > 2.4.24 includes a fix for this (mm/mremap.c diff) > > It names 2.2 too. Is there a fix for 2.2? Ask Alan. He's not following the kernel mailing list too closely these days. -- Tomas Szepe <szepe@pinerecords.com> ^ permalink raw reply [flat|nested] 14+ messages in thread
* mremap() bug and 2.2? 2004-01-05 17:10 ` Diego Calleja 2004-01-05 18:23 ` Tomas Szepe @ 2004-01-05 18:26 ` Petr Baudis 2004-01-05 22:55 ` mremap() bug IMHO not in 2.2 Petr Baudis 1 sibling, 1 reply; 14+ messages in thread From: Petr Baudis @ 2004-01-05 18:26 UTC (permalink / raw) To: Diego Calleja; +Cc: Marcelo Tosatti, Robert.L.Harris, linux-kernel Dear diary, on Mon, Jan 05, 2004 at 06:10:53PM CET, I got a letter, where Diego Calleja <grundig@teleline.es> told me, that... > El Mon, 5 Jan 2004 13:26:23 -0200 (BRST) Marcelo Tosatti <marcelo.tosatti@cyclades.com> escribió: > > > On Mon, 5 Jan 2004, Robert L. Harris wrote: > > > Just read this on full disclosure: > > > > > > http://isec.pl/vulnerabilities/isec-0013-mremap.txt > [...] > > It is possible that the problem is exploitable. There is no known public > > exploit yet, however. > > > > 2.4.24 includes a fix for this (mm/mremap.c diff) > > It names 2.2 too. Is there a fix for 2.2? I'm trying to investigate that right now. In 2.2, mremap() doesn't yet take yet the new_addr argument, therefore the "official" 2.4 fix wouldn't apply at all to it. There are four possibilities: * The isec.pl guys just made a mistake. * 2.2's get_unmapped_area() can return dangerous pages for len == 0, whilst the 2.4's get_unmapped_area() cannot. (I'm not sure, looking into that code right now.) * 2.4's fix is incorrect. * I'm missing something obvious. Anyone has an idea? -- Petr "Pasky" Baudis . The brain is a wonderful organ; it starts working the moment you get up in the morning, and does not stop until you get to work. . Stuff: http://pasky.or.cz/ ^ permalink raw reply [flat|nested] 14+ messages in thread
* mremap() bug IMHO not in 2.2 2004-01-05 18:26 ` mremap() bug and 2.2? Petr Baudis @ 2004-01-05 22:55 ` Petr Baudis 2004-01-05 23:36 ` Linus Torvalds 2004-01-06 20:36 ` mremap() bug indeed not in 2.2 (confirmed) Petr Baudis 0 siblings, 2 replies; 14+ messages in thread From: Petr Baudis @ 2004-01-05 22:55 UTC (permalink / raw) To: Diego Calleja, Robert.L.Harris, vherva, ihaquer, cliph; +Cc: linux-kernel Dear diary, on Mon, Jan 05, 2004 at 07:26:07PM CET, I got a letter, where Petr Baudis <pasky@ucw.cz> told me, that... > Dear diary, on Mon, Jan 05, 2004 at 06:10:53PM CET, I got a letter, > where Diego Calleja <grundig@teleline.es> told me, that... > > El Mon, 5 Jan 2004 13:26:23 -0200 (BRST) Marcelo Tosatti <marcelo.tosatti@cyclades.com> escribió: > > > > > On Mon, 5 Jan 2004, Robert L. Harris wrote: > > > > Just read this on full disclosure: > > > > > > > > http://isec.pl/vulnerabilities/isec-0013-mremap.txt > > [...] > > > It is possible that the problem is exploitable. There is no known public > > > exploit yet, however. > > > > > > 2.4.24 includes a fix for this (mm/mremap.c diff) > > > > It names 2.2 too. Is there a fix for 2.2? > > I'm trying to investigate that right now. In 2.2, mremap() doesn't yet > take yet the new_addr argument, therefore the "official" 2.4 fix > wouldn't apply at all to it. There are four possibilities: > > * The isec.pl guys just made a mistake. > > * 2.2's get_unmapped_area() can return dangerous pages for len == 0, > whilst the 2.4's get_unmapped_area() cannot. (I'm not sure, looking into > that code right now.) > > * 2.4's fix is incorrect. > > * I'm missing something obvious. Actually, after looking at the code again, I'm now quite convinced 2.2 has not this particular vulnerability. In order for the exploit to work, you'd need mremap() to relocate you. But mremap() won't take newaddr argument, so you can't get yourself relocated explicitly. And mremap() will not relocate yourself implicitly to some random spot neither, because since newlen is zero, it will always trigger the shrinking code, which will just munmap() and bail out. ihaquer, any comments? Is there something we don't know about? If not, please correct your announcement. Kind regards, -- Petr "Pasky" Baudis . The brain is a wonderful organ; it starts working the moment you get up in the morning, and does not stop until you get to work. . Stuff: http://pasky.or.cz/ ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: mremap() bug IMHO not in 2.2 2004-01-05 22:55 ` mremap() bug IMHO not in 2.2 Petr Baudis @ 2004-01-05 23:36 ` Linus Torvalds 2004-01-05 23:58 ` Valdis.Kletnieks 2004-01-06 20:36 ` mremap() bug indeed not in 2.2 (confirmed) Petr Baudis 1 sibling, 1 reply; 14+ messages in thread From: Linus Torvalds @ 2004-01-05 23:36 UTC (permalink / raw) To: Petr Baudis Cc: Diego Calleja, Robert.L.Harris, vherva, ihaquer, cliph, linux-kernel On Mon, 5 Jan 2004, Petr Baudis wrote: > > Actually, after looking at the code again, I'm now quite convinced 2.2 > has not this particular vulnerability. In order for the exploit to work, > you'd need mremap() to relocate you. Can somebody tell me (in private) what the exploit is in the first place? The thing is, I can see the VM getting confused and creating a zero-sized vma, and I agree that it shouldn't do that. The fix is trivial. But I don't see where the claimed privilege escalation comes from. A zero-sized vma isn't ever going to be _useful_, since nothing will actually find it. So yes, it creates some confusion in the VM layer, but it all seems benign. It's clearly a bug, but where does the security problem come in? Linus ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: mremap() bug IMHO not in 2.2 2004-01-05 23:36 ` Linus Torvalds @ 2004-01-05 23:58 ` Valdis.Kletnieks 2004-01-06 0:08 ` Linus Torvalds 0 siblings, 1 reply; 14+ messages in thread From: Valdis.Kletnieks @ 2004-01-05 23:58 UTC (permalink / raw) To: Linus Torvalds; +Cc: linux-kernel [-- Attachment #1: Type: text/plain, Size: 352 bytes --] On Mon, 05 Jan 2004 15:36:41 PST, Linus Torvalds said: > So yes, it creates some confusion in the VM layer, but it all seems > benign. It's clearly a bug, but where does the security problem come in? Just guessing, but would a zero-length vma be rounded up to a page, and thus give the attacker scribble permission on a page he shouldn't have had? [-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: mremap() bug IMHO not in 2.2 2004-01-05 23:58 ` Valdis.Kletnieks @ 2004-01-06 0:08 ` Linus Torvalds 2004-01-06 2:14 ` Tomas Szepe 2004-01-06 9:22 ` Martin Loschwitz 0 siblings, 2 replies; 14+ messages in thread From: Linus Torvalds @ 2004-01-06 0:08 UTC (permalink / raw) To: Valdis.Kletnieks; +Cc: linux-kernel On Mon, 5 Jan 2004 Valdis.Kletnieks@vt.edu wrote: > > On Mon, 05 Jan 2004 15:36:41 PST, Linus Torvalds said: > > > So yes, it creates some confusion in the VM layer, but it all seems > > benign. It's clearly a bug, but where does the security problem come in? > > Just guessing, but would a zero-length vma be rounded up to a page, and > thus give the attacker scribble permission on a page he shouldn't have had? Almost certainly not. It's more likely that one of the two functions that walk through _all_ the vma's (fork() and exit()) simply knows that a vma can never be zero-length, and uses a addr = vma->vm_start; do { ... addr += PAGE_SIZE; } while (addr < vma->vm_end); kind of loop - which means that either fork() or exit() would copy or release one page too many. The only page that should matter is likely the one at 0xC0000000, where there can be extra complications from the fact that we use 4MB pages for the kernel, so when fork/exit tries to walk the page table, it would get bogus results. Still, I'd expect that to lead to a triple fault (and thus a reboot) rather than any elevation of privileges.. Interesting, in any case. Good catch from whoever found it. Linus ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: mremap() bug IMHO not in 2.2 2004-01-06 0:08 ` Linus Torvalds @ 2004-01-06 2:14 ` Tomas Szepe 2004-01-06 9:22 ` Martin Loschwitz 1 sibling, 0 replies; 14+ messages in thread From: Tomas Szepe @ 2004-01-06 2:14 UTC (permalink / raw) To: Linus Torvalds; +Cc: Valdis.Kletnieks, linux-kernel On Jan-05 2004, Mon, 16:08 -0800 Linus Torvalds <torvalds@osdl.org> wrote: > The only page that should matter is likely the one at 0xC0000000, where > there can be extra complications from the fact that we use 4MB pages for > the kernel, so when fork/exit tries to walk the page table, it would get > bogus results. > > Still, I'd expect that to lead to a triple fault (and thus a reboot) > rather than any elevation of privileges.. Hmmm... so what about non-x86? > Interesting, in any case. Good catch from whoever found it. Impressive, yes. -- Tomas Szepe <szepe@pinerecords.com> ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: mremap() bug IMHO not in 2.2 2004-01-06 0:08 ` Linus Torvalds 2004-01-06 2:14 ` Tomas Szepe @ 2004-01-06 9:22 ` Martin Loschwitz 1 sibling, 0 replies; 14+ messages in thread From: Martin Loschwitz @ 2004-01-06 9:22 UTC (permalink / raw) To: linux-kernel [-- Attachment #1: Type: text/plain, Size: 1310 bytes --] On Mon, Jan 05, 2004 at 04:08:36PM -0800, Linus Torvalds wrote: > > > The only page that should matter is likely the one at 0xC0000000, where > there can be extra complications from the fact that we use 4MB pages for > the kernel, so when fork/exit tries to walk the page table, it would get > bogus results. > This is right, the proof-of-concept exploit to be found on full-disclosure exactly uses that memory address. > Still, I'd expect that to lead to a triple fault (and thus a reboot) > rather than any elevation of privileges.. > I agree with Linus. I tested the POC-exploit here on Linux 2.4.22-rc2 and Linux 2.4.23 and everything it does is to simply reboot the box. As for Linux 2.6.0-test9, I get something like a hangup (the same sound is played again and again and only reset helps). I actually am not sure whether this should be called 'local privlige escalation' or rather 'possibility for Denial of Service attacks'. > Interesting, in any case. Good catch from whoever found it. > > Linus > - -- .''`. Martin Loschwitz Debian GNU/Linux developer : :' : madkiss@madkiss.org madkiss@debian.org `. `'` http://www.madkiss.org/ people.debian.org/~madkiss/ `- Use Debian GNU/Linux 3.0! See http://www.debian.org/ [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* mremap() bug indeed not in 2.2 (confirmed) 2004-01-05 22:55 ` mremap() bug IMHO not in 2.2 Petr Baudis 2004-01-05 23:36 ` Linus Torvalds @ 2004-01-06 20:36 ` Petr Baudis 1 sibling, 0 replies; 14+ messages in thread From: Petr Baudis @ 2004-01-06 20:36 UTC (permalink / raw) To: Diego Calleja, Robert.L.Harris, vherva, ihaquer, cliph, linux-kernel Dear diary, on Mon, Jan 05, 2004 at 11:55:08PM CET, I got a letter, where Petr Baudis <pasky@ucw.cz> told me, that... > Dear diary, on Mon, Jan 05, 2004 at 07:26:07PM CET, I got a letter, > where Petr Baudis <pasky@ucw.cz> told me, that... > > Dear diary, on Mon, Jan 05, 2004 at 06:10:53PM CET, I got a letter, > > where Diego Calleja <grundig@teleline.es> told me, that... > > > It names 2.2 too. Is there a fix for 2.2? > > > > I'm trying to investigate that right now. In 2.2, mremap() doesn't yet > > take yet the new_addr argument, therefore the "official" 2.4 fix > > wouldn't apply at all to it. There are four possibilities: > > > > * The isec.pl guys just made a mistake. ..snip.. > Actually, after looking at the code again, I'm now quite convinced 2.2 > has not this particular vulnerability. In order for the exploit to work, > you'd need mremap() to relocate you. ..snip.. > ihaquer, any comments? Is there something we don't know about? If not, > please correct your announcement. It seems to be indeed so. This was just posted to bugtraq & co: Hi, our initial posting contains a mistake about the vulnerability of the 2.2 kernel series. Since the 2.2 kernel series doesn't support the MREMAP_FIXED flag it is NOT vulnerable. The source states "MREMAP_FIXED option added 5-Dec-1999" but it didn't make into recent 2.2.x. We apologize for inconvenience. -- Paul Starzetz iSEC Security Research http://isec.pl/ Here you go. And I don't need to worry about my 2.2.25-running pets ;-). Kind regards, -- Petr "Pasky" Baudis . The brain is a wonderful organ; it starts working the moment you get up in the morning, and does not stop until you get to work. . Stuff: http://pasky.or.cz/ ^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2004-01-06 20:36 UTC | newest] Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2004-01-05 14:54 mremap bug and 2.4? Robert L. Harris 2004-01-05 15:21 ` Erik Mouw 2004-01-05 15:26 ` Marcelo Tosatti 2004-01-05 15:42 ` Robert L. Harris 2004-01-05 17:10 ` Diego Calleja 2004-01-05 18:23 ` Tomas Szepe 2004-01-05 18:26 ` mremap() bug and 2.2? Petr Baudis 2004-01-05 22:55 ` mremap() bug IMHO not in 2.2 Petr Baudis 2004-01-05 23:36 ` Linus Torvalds 2004-01-05 23:58 ` Valdis.Kletnieks 2004-01-06 0:08 ` Linus Torvalds 2004-01-06 2:14 ` Tomas Szepe 2004-01-06 9:22 ` Martin Loschwitz 2004-01-06 20:36 ` mremap() bug indeed not in 2.2 (confirmed) Petr Baudis
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.