Re: SuSE 7.3 : Kernel 2.4.10-4GB Bug

From: Andrea Arcangeli (andreaat_private)
Date: Wed Nov 21 2001 - 19:40:57 PST

Next message: Leif Nixon: "Secure Computing SafeWord uses vulnerable ssh server"

Previous message: analysist: "Hi"
In reply to: Luciano Miguel Ferreira Rocha: "Re: SuSE 7.3 : Kernel 2.4.10-4GB Bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Nov 22, 2001 at 12:04:58AM +0000, Luciano Miguel Ferreira Rocha wrote:
> 
> I've been able to reproduce the results (instant reboot) by running the
> vmlinux as a normal user in a clean Linux 2.4.10 plus ext3,
> on Red Hat Linux system, Pentium 233 MMX processor.
> 
> I coulnd't reproduce the reboot in a Piii 750, kernel 2.4.15-pre2, either
> normal or root user (good SIGSEGV :)).
> 
> It looks like it is a problem within the original kernel, and that it
> has been fixed in later releases...

Correct. The bug is been fixed in 2.4.11pre3 (most of the credit for the
finding the bug and fixing it goes to Linus btw).

All 2.4 kernels before 2.4.12 are affected by such bug. It shouldn't be
expoitable, it should only lead to a local DoS.

A patch to fix vanilla 2.4.10 can be downloaded from here:

	ftp://ftp.us.kernel.org/pub/linux/kernel/people/andrea/patches/v2.4/2.4.10/binfmt_elf-checks-1

A patch to fix the 2.4.10.SuSE-7.3 kernel (both the original one in the
CDs, and also the first kernel security update) can be downloaded from
here:

	ftp://ftp.us.kernel.org/pub/linux/kernel/people/andrea/patches/v2.4/2.4.10.SuSE-7.3/binfmt_elf-checks-1

The above two fixes cures more than just the vmlinux crash, there were
further checks missing, and the above two patches just includes the
further checks as well. If you run a recent kernel (>=2.4.12) and you
want the further checks (even if not necessary just for the vmlinux
crash) this is the patch that you can apply:

	ftp://ftp.us.kernel.org/pub/linux/kernel/people/andrea/kernels/v2.4/2.4.15pre7aa1/00_binfmt-elf-checks-1

The crash is generated by the missing error checks for the mmap/brk
implicit calls while mapping the elf files during execve. The x86
vmlinux elf image claims to be mapped over 3G (that's the kernel image
and the kernel runs there), so the binfmt elf loader tries to map the
vmlinux elf image there, and the mapping fails (because that's kernel
space, not userspace) but the loader doesn't notice and crashes.

On the SuSE side, more about SuSE kernel update rpm packages is to be
announced soon.

Andrea

Next message: Leif Nixon: "Secure Computing SafeWord uses vulnerable ssh server"
Previous message: analysist: "Hi"
In reply to: Luciano Miguel Ferreira Rocha: "Re: SuSE 7.3 : Kernel 2.4.10-4GB Bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 23 2001 - 14:44:04 PST