lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <409392B8.8050908@cr-secure.net>
From: chris at cr-secure.net (ChrisR-)
Subject: Bug in PaX Linux Kernel 2.6 Patches

http://www.cr-secure.net
Found by: borg (ChrisR-)

A small bug in PaX was found.

What is PaX?
-----------------------

PaX is a collection of intrusion prevention patches for the Linux Kernel 
2.2, 2.4, and 2.6.
This advisory only affects the PaX patches for the 2.6 linux kernel.
PaX is located at http://pax.grsecurity.net

Impact?
------------------

Denial of service through putting the kernel into an infinite loop when 
ASLR is enabled.

Vulnerable PaX code?
-----------------------
(sorry for white space)
====================================================
'linux/mm/mmap.c'

 if (start_addr != TASK_UNMAPPED_BASE) {

#ifdef CONFIG_PAX_RANDMMAP
                                if (current->flags & PF_PAX_RANDMMAP)
                                        start_addr = addr = 
TASK_UNMAPPED_BASE + mm->delta_mmap;
                                else
#endif
                                                                                                                                              
 
                                start_addr = addr = TASK_UNMAPPED_BASE;
                                goto full_search;
                        }
                        return -ENOMEM;


====================================================
And the correct code,

grab the patch at 
http://pax.grsecurity.net/pax-linux-2.6.5-200405011700.patch

=====================================================

Exploit Code?
-----------------------

Im not releasing my exploit code for this just yet. Pherhaps I never will.
But its very simple code, simple enough to do in 2 lines. Your not getting
anymore proof of concept code from me on any advisories.

Fix?
-----------------------

PaX team is aware of the problem and has already released a fix for this 
on the PaX homepage.

Thanks and greets:
Mattjf, TLharris, Shrike, think, and efnet #cryptography

http://www.cr-secure.net
chris@...secure.net

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ