2.6.1-rc1 affected?

2.6.1-rc1 affected?

[Markus Hästbacka]

[-- Attachment #1: Type: text/plain, Size: 266 bytes --]

Hello list,

I heard the news about the new exploit, and I'm wondering if 2.6.0 or
2.6.1-rc1 is affected with this mremap bug?

Thanks,
Best regards,
Markus
-- 
"Software is like sex, it's better when it's free."
Markus Hästbacka <midian at ihme dot org>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[patchlet link] Re: 2.6.1-rc1 affected?

[Maciej Soltysiak]

Yes, it seems as though in the report:
http://isec.pl/vulnerabilities/isec-0013-mremap.txt

And from the looks of mm/mremap.c

For those who might be in need to update mm/mremap.c I extracted the
patch from 2.4.24 and tested on 2.6.0.
You might just patch 2.6.0 with the exact same patch which
is in 2.6.

http://dns.toxicfilms.tv/mremap.diff

But does grsec for 2.4 guard against this? I doubt it, but I am no guru.
Does anyone knowledgeble enough have an answer?

Regards,
Maciej

Re: 2.6.1-rc1 affected?

[Linus Torvalds]

On Mon, 5 Jan 2004, Markus Hästbacka wrote:
> 
> I heard the news about the new exploit, and I'm wondering if 2.6.0 or
> 2.6.1-rc1 is affected with this mremap bug?

Yup.

I'd actually personally prefer a stronger test than the one in 2.4.24, and 
my personal preference would be for just disallowing the degenerate cases
entirely.  I don't see a "mremap away" as being a valid thing to do, since 
if that is what you want, why not just do a "munmap()"?

Uli cc'd, to check whether libc could ever use a zero-sized mremap()..

		Linus

----
===== mm/mremap.c 1.33 vs edited =====
--- 1.33/mm/mremap.c	Sat Aug 23 23:50:10 2003
+++ edited/mm/mremap.c	Mon Jan  5 08:34:21 2004
@@ -315,6 +315,10 @@
 	old_len = PAGE_ALIGN(old_len);
 	new_len = PAGE_ALIGN(new_len);
 
+	/* Don't allow the degenerate cases */
+	if (!(old_len | new_len))
+		goto out;
+
 	/* new_addr is only valid if MREMAP_FIXED is specified */
 	if (flags & MREMAP_FIXED) {
 		if (new_addr & ~PAGE_MASK)

Re: 2.6.1-rc1 affected?

[Markus Hästbacka]

[-- Attachment #1: Type: text/plain, Size: 770 bytes --]

On Mon, 2004-01-05 at 18:46, Linus Torvalds wrote:
> Yup.
> 
Why isn't there any security update to 2.6.0/2.6.1-rc1 out yet, then?
Yes, the patch..
But I think there's corporations who use 2.6.0 and don't read the lkml.

Just a penny for my thoughts..

Regards,
Markus

> I'd actually personally prefer a stronger test than the one in 2.4.24, and 
> my personal preference would be for just disallowing the degenerate cases
> entirely.  I don't see a "mremap away" as being a valid thing to do, since 
> if that is what you want, why not just do a "munmap()"?
> 
> Uli cc'd, to check whether libc could ever use a zero-sized mremap()..
> 
> 		Linus
-- 
"Software is like sex, it's better when it's free."
Markus Hästbacka <midian at ihme dot org>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: 2.6.1-rc1 affected?

[Linus Torvalds]

On Mon, 5 Jan 2004, Markus Hästbacka wrote:
>
> Why isn't there any security update to 2.6.0/2.6.1-rc1 out yet, then?

Because nobody actually contacted me about the problem and I read about it
on linux-kernel like everybody else? Because I just got up and created the
patch? And because nobody has an exploit yet, and one may be hard or
impossible to create? And because people who care about these things tend
to not update to x.0 kernels anyway?

> But I think there's corporations who use 2.6.0 and don't read the lkml.

They'll get a 2.6.1 soonish. The patch is in the current BK tree, will be 
in -rc2, and will be in 2.6.1. Let's just make sure we don't screw up the 
release due to being too much in a hurry either..

			Linus

Re: 2.6.1-rc1 affected?

[Markus Hästbacka]

[-- Attachment #1: Type: text/plain, Size: 1057 bytes --]

On Mon, 2004-01-05 at 20:31, Linus Torvalds wrote:
> Because nobody actually contacted me about the problem and I read about it
> on linux-kernel like everybody else? Because I just got up and created the
> patch? And because nobody has an exploit yet, and one may be hard or
> impossible to create? And because people who care about these things tend
> to not update to x.0 kernels anyway?
> 
Ok, I see your point. though, even that I care about these things, I
updated one of my servers to development tree somewhere at 2.5.70~.
The reason for me was the major performance difference.
> > But I think there's corporations who use 2.6.0 and don't read the lkml.
> 
> They'll get a 2.6.1 soonish. The patch is in the current BK tree, will be 
> in -rc2, and will be in 2.6.1. Let's just make sure we don't screw up the 
> release due to being too much in a hurry either..
> 
Yes, better give it time and not rush.

Thanks for your time.
-- 
"Software is like sex, it's better when it's free."
Markus Hästbacka <midian at ihme dot org>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: 2.6.1-rc1 affected?

[GCS]

On Mon, Jan 05, 2004 at 10:31:02AM -0800, Linus Torvalds <torvalds@osdl.org> wrote:
[snip]
> And because nobody has an exploit yet, and one may be hard or
> impossible to create?
 There _is_ an exploit: http://isec.pl/vulnerabilities/isec-0013-mremap.txt
"Since no special privileges are required to use the mremap(2) system
call any process may misuse its unexpected behavior to disrupt the kernel
memory management subsystem. Proper exploitation of this vulnerability may
lead to local privilege escalation including execution of  arbitrary code
with kernel level access. Proof-of-concept exploit code has been created 
and successfully tested giving UID 0 shell on vulnerable systems."

Cheers,
GCS

Re: 2.6.1-rc1 affected?

[Tomas Szepe]

On Jan-05 2004, Mon, 20:38 +0100
GCS <gcs@lsc.hu> wrote:

> There _is_ an exploit: http://isec.pl/vulnerabilities/isec-0013-mremap.txt
> "Since no special privileges are required to use the mremap(2) system
...

I will not believe the claim until I've seen the code.

-- 
Tomas Szepe <szepe@pinerecords.com>

Re: 2.6.1-rc1 affected?

[Bastiaan Spandaw]

On Mon, 2004-01-05 at 23:48, Tomas Szepe wrote:
> On Jan-05 2004, Mon, 20:38 +0100
> GCS <gcs@lsc.hu> wrote:
> 
> > There _is_ an exploit: http://isec.pl/vulnerabilities/isec-0013-mremap.txt
> > "Since no special privileges are required to use the mremap(2) system
> ...
> 
> I will not believe the claim until I've seen the code.

Not sure if this works or not.
According to a slashdot comment this is proof of concept code.

http://linuxfromscratch.org/~devine/mremap_poc.c

Regards,

Bastiaan

Re: 2.6.1-rc1 affected?

[Max Valdez]

[-- Attachment #1: Type: text/plain, Size: 1347 bytes --]

At least it hangs a redhat 7.2 kernel 

I will test it further tomorrow, but it looks like a good proof to me

Best regards
Max
On Mon, 2004-01-05 at 18:23, Bastiaan Spandaw wrote:
> On Mon, 2004-01-05 at 23:48, Tomas Szepe wrote:
> > On Jan-05 2004, Mon, 20:38 +0100
> > GCS <gcs@lsc.hu> wrote:
> > 
> > > There _is_ an exploit: http://isec.pl/vulnerabilities/isec-0013-mremap.txt
> > > "Since no special privileges are required to use the mremap(2) system
> > ...
> > 
> > I will not believe the claim until I've seen the code.
> 
> Not sure if this works or not.
> According to a slashdot comment this is proof of concept code.
> 
> http://linuxfromscratch.org/~devine/mremap_poc.c
> 
> Regards,
> 
> Bastiaan
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
-- 
Linux garaged 2.4.24 #2 SMP Mon Jan 5 17:41:16 CST 2004 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GS/ d-s:a-28C++ILHA+++P+L++>+++E---W++N*o--K-w++++O-M--V--PS+PEY--PGP++t5XRtv++b++DI--D-G++e++h-r+y**
------END GEEK CODE BLOCK------
gpg-key: http://garaged.homeip.net/gpg-key.txt

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: 2.6.1-rc1 affected?

[Jesper Juhl]

On Tue, 6 Jan 2004, Max Valdez wrote:

> At least it hangs a redhat 7.2 kernel
>
> I will test it further tomorrow, but it looks like a good proof to me
>
> Best regards
> Max
> On Mon, 2004-01-05 at 18:23, Bastiaan Spandaw wrote:
> > On Mon, 2004-01-05 at 23:48, Tomas Szepe wrote:
> > > On Jan-05 2004, Mon, 20:38 +0100
> > > GCS <gcs@lsc.hu> wrote:
> > >
> > > > There _is_ an exploit:
> http://isec.pl/vulnerabilities/isec-0013-mremap.txt
> > > > "Since no special privileges are required to use the mremap(2)
> system
> > > ...
> > >
> > > I will not believe the claim until I've seen the code.
> >
> > Not sure if this works or not.
> > According to a slashdot comment this is proof of concept code.
> >
> > http://linuxfromscratch.org/~devine/mremap_poc.c
> >
> > Regards,
> >
> > Bastiaan
> >

On my box that program is a very effective 'instant reboot'.

The instant I ran it from a xterm my screen went black, the music I was
listening to from a CD stopped and the machine rebooted.
The running kernel was 2.6.1-rc1-mm1


- Jesper Juhl

Re: 2.6.1-rc1 affected?

[Hugang]

On Tue, 6 Jan 2004 02:25:36 +0100 (CET)
Jesper Juhl <juhl-lkml@dif.dk> wrote:

> 
> On Tue, 6 Jan 2004, Max Valdez wrote:
> 
> > At least it hangs a redhat 7.2 kernel
> >
> > I will test it further tomorrow, but it looks like a good proof to me
> On my box that program is a very effective 'instant reboot'.
> 
> The instant I ran it from a xterm my screen went black, the music I was
> listening to from a CD stopped and the machine rebooted.
> The running kernel was 2.6.1-rc1-mm1

do nothing in my laptop.

[hugang@:build]$ ./mremap_poc 
Trace/breakpoint trap

powerpc G4, PowerBook G4, 2.6.0-test11-wli + laptop mode path

-- 
Hu Gang / Steve
RLU#          : 204016 [1999] (Registered Linux user)
GPG Public Key: http://soulinfo.com/~hugang/HuGang.asc

Re: 2.6.1-rc1 affected?

[Hugang]

On Tue, 6 Jan 2004 09:31:45 +0800
Hugang <hugang@soulinfo.com> wrote:

> do nothing in my laptop.
> 
> [hugang@:build]$ ./mremap_poc 
> Trace/breakpoint trap
> 
> powerpc G4, PowerBook G4, 2.6.0-test11-wli + laptop mode path

Sorry, My fault, it let my kernel oops.

kernel BUG in exit_mmap at mm/mmap.c:1468!
Oops: Exception in kernel mode, sig: 5 [#14]
NIP: C00490E0 LR: C00490B0 SP: C094DED0 REGS: c094de20 TRAP: 0700    Not tainted
MSR: 00029032 EE: 1 PR: 0 FP: 0 ME: 1 IR/DR: 11
TASK = c1c83160[2783] 'mremap_poc' Last syscall: 1 
GPR00: 00000001 C094DED0 C1C83160 0000000A 00000000 0A89DFFC C01C6740 00009032 
GPR08: 0000AF9F C01F247C FFFFFFCB C01F0000 82000002 100187B8 00000000 100D7B78 
GPR16: 100D6BE8 10060000 10060000 00000000 00000000 100C8558 100D6BE8 00000000 
GPR24: 00000000 0FFE6BB0 0FFD9590 0FFD9590 00000000 00000000 C1C83160 C95384C0 
Call trace:
 [c0016914] mmput+0x7c/0xbc
 [c001a9e8] do_exit+0x19c/0x380
 [c001ac08] do_group_exit+0x0/0x98
 [c000602c] ret_from_syscall+0x0/0x4c


-- 
Hu Gang / Steve
RLU#          : 204016 [1999] (Registered Linux user)
GPG Public Key: http://soulinfo.com/~hugang/HuGang.asc

Re: 2.6.1-rc1 affected?

[szonyi calin]

 --- Jesper Juhl <juhl-lkml@dif.dk> a écrit : > 
> On Tue, 6 Jan 2004, Max Valdez wrote:
> 
> > At least it hangs a redhat 7.2 kernel
> >
> > I will test it further tomorrow, but it looks like a good
> proof to me
> >
> > > >
> > > > > There _is_ an exploit:
> > http://isec.pl/vulnerabilities/isec-0013-mremap.txt
> > > > > "Since no special privileges are required to use the
> mremap(2)
> > system
> > > > ...
> > > >
> > > > I will not believe the claim until I've seen the code.
> > >
> > > Not sure if this works or not.
> > > According to a slashdot comment this is proof of concept
> code.
> > >
> > > http://linuxfromscratch.org/~devine/mremap_poc.c
> > >
> > > Regards,
> > >
> > > Bastiaan
> > >
> 
> On my box that program is a very effective 'instant reboot'.
> 

on mine just a segfault :-)
sony@grinch -04:47:32- 0 jobs, ver 2.05b.0 3 
 /~/schule $ gcc -o mremap_poc mremap_poc.c 
sony@grinch -04:47:35- 0 jobs, ver 2.05b.0 3 
 /~/schule $ ./mremap_poc 
Segmentation fault

> The instant I ran it from a xterm my screen went black, the
> music I was
> listening to from a CD stopped and the machine rebooted.
> The running kernel was 2.6.1-rc1-mm1
> 

maybe you were running the program as root ?

> 
> - Jesper Juhl
> 
> -

Calin

=====
--
A mouse is a device used to point at 
the xterm you want to type in.
Kim Alm on a.s.r.

_________________________________________________________________
Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
Yahoo! Mail : http://fr.mail.yahoo.com

Re: 2.6.1-rc1 affected?

[Jonathan Higdon]

On Tue, 6 Jan 2004, [iso-8859-1] szonyi calin wrote:

>  --- Jesper Juhl <juhl-lkml@dif.dk> a écrit : >
> > On Tue, 6 Jan 2004, Max Valdez wrote:
> >
> > > At least it hangs a redhat 7.2 kernel
> > >
> > > I will test it further tomorrow, but it looks like a good
> > proof to me
> > >
> > > > >
> > > > > > There _is_ an exploit:
> > > http://isec.pl/vulnerabilities/isec-0013-mremap.txt
> > > > > > "Since no special privileges are required to use the
> > mremap(2)
> > > system
> > > > > ...
> > > > >
> > > > > I will not believe the claim until I've seen the code.
> > > >
> > > > Not sure if this works or not.
> > > > According to a slashdot comment this is proof of concept
> > code.
> > > >
> > > > http://linuxfromscratch.org/~devine/mremap_poc.c
> > > >
> > > > Regards,
> > > >
> > > > Bastiaan
> > > >
> >
> > On my box that program is a very effective 'instant reboot'.
> >
>
> on mine just a segfault :-)
> sony@grinch -04:47:32- 0 jobs, ver 2.05b.0 3
>  /~/schule $ gcc -o mremap_poc mremap_poc.c
> sony@grinch -04:47:35- 0 jobs, ver 2.05b.0 3
>  /~/schule $ ./mremap_poc
> Segmentation fault
>
> > The instant I ran it from a xterm my screen went black, the
> > music I was
> > listening to from a CD stopped and the machine rebooted.
> > The running kernel was 2.6.1-rc1-mm1
> >
>
> maybe you were running the program as root ?

I tried it on 2.6.0 as a regular user and got an instant reboot.
stracing it showed the faults and the system was unusable after that :)

~jon

Re: 2.6.1-rc1 affected?

[szonyi calin]

 --- Jonathan Higdon <jhigdon@linuxfools.org> a écrit : > 
> 
> On Tue, 6 Jan 2004, [iso-8859-1] szonyi calin wrote:
> 
> > >
> > > On my box that program is a very effective 'instant
> reboot'.
> > >
> >
> > on mine just a segfault :-)
> > sony@grinch -04:47:32- 0 jobs, ver 2.05b.0 3
> >  /~/schule $ gcc -o mremap_poc mremap_poc.c
> > sony@grinch -04:47:35- 0 jobs, ver 2.05b.0 3
> >  /~/schule $ ./mremap_poc
> > Segmentation fault
> >

correction
if it is compileg withj -g and statically linked and run from
a gdb session it hard locks the machine. Only a hard reset helps
if it's run from a shell -> segfaults :-)
so at least on my system an atacker needs gdb to crash the 
machine :-)
 

> > > The instant I ran it from a xterm my screen went black,
> the
> > > music I was
> > > listening to from a CD stopped and the machine rebooted.
> > > The running kernel was 2.6.1-rc1-mm1
> > >
> >
> > maybe you were running the program as root ?
> 
> I tried it on 2.6.0 as a regular user and got an instant
> reboot.
> stracing it showed the faults and the system was unusable
> after that :)
> 
> ~jon

=====
--
A mouse is a device used to point at 
the xterm you want to type in.
Kim Alm on a.s.r.

_________________________________________________________________
Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
Yahoo! Mail : http://fr.mail.yahoo.com

Re: 2.6.1-rc1 affected?

[Jakob Oestergaard]

On Tue, Jan 06, 2004 at 01:23:44AM +0100, Bastiaan Spandaw wrote:
...
> Not sure if this works or not.
> According to a slashdot comment this is proof of concept code.
> 
> http://linuxfromscratch.org/~devine/mremap_poc.c

A few tests, all on IA32, all as non-root user:

RedHat 5.2, (vanilla 2.0.39) = no effect
RedHat 6.2, (vanilla 2.4.18) = instant reboot
RedHat 7.2, (redhat 2.4.9-7) = instant reboot
Debian 2.2, (vanilla 2.2.19) = no effect
SuSE 7.3, (suse 2.4.10-4GB) = instant reboot

Cheers,

 / jakob

Re: 2.6.1-rc1 affected?

[Giuliani Ivan]

On Tue, 6 Jan 2004 07:39:06 +0100
Jakob Oestergaard <jakob@unthought.net> wrote:

> On Tue, Jan 06, 2004 at 01:23:44AM +0100, Bastiaan Spandaw wrote:
> ...
> > Not sure if this works or not.
> > According to a slashdot comment this is proof of concept code.
> > 
> > http://linuxfromscratch.org/~devine/mremap_poc.c
> 
> A few tests, all on IA32, all as non-root user:
> 
> RedHat 5.2, (vanilla 2.0.39) = no effect
> RedHat 6.2, (vanilla 2.4.18) = instant reboot
> RedHat 7.2, (redhat 2.4.9-7) = instant reboot
> Debian 2.2, (vanilla 2.2.19) = no effect
> SuSE 7.3, (suse 2.4.10-4GB) = instant reboot

On my 2.4.22 (slackware 9.1 default) and on my 2.6.0-test11 (vanilla) with IA32
worked fine.

-- 
Ivan "kratorius" Giuliani  ::  PGP Public Key ID:
http://kratorius.cjb.net   ::  0x840F429D @ keyserver.linux.it
LUGBari Member             ::

Re: 2.6.1-rc1 affected?

[Michal Schmidt]

Linus Torvalds wrote:
> I'd actually personally prefer a stronger test than the one in 2.4.24, and 
> my personal preference would be for just disallowing the degenerate cases
> entirely.  I don't see a "mremap away" as being a valid thing to do, since 
> if that is what you want, why not just do a "munmap()"?
> 

I belive your fix isn't correct.
Should that test be:
   if(!old_len || !new_len)
        goto out;
?

The difference is when old_len!=0 and new_len==0:
With the fix that Marcelo merged, mremap does nothing and returns -1.
With your fix, mremap does do_munmap and then returns -1.

Michal Schmidt