Mailing List Archive: Gentoo: Security

Notification: Locally exploitable flaw / gain root privileges / SMP machine

Index | Next | Previous | View Threaded

b4b1 at free

Jan 17, 2005, 6:49 AM

Post #1 of 5 (698 views)
Permalink

Notification: Locally exploitable flaw / gain root privileges / SMP machine

Published on 12 january 2005

Issue:

======

Locally exploitable flaw has been found in the Linux page fault handler
code that allows users to gain root privileges if running on
multiprocessor machine.

Details:
========

The Linux kernel is the core software component of a Linux environment
and is responsible for handling of machine resources. One of the
functions of an operating system kernel is handling of virtual memory.
On Linux virtual memory is provided on demand if an application accesses
virtual memory areas.

One of the core components of the Linux VM subsystem is the page fault
handler that is called if applications try to access virtual memory
currently not physically mapped or not available in their address space.

The page fault handler has the function to properly identify the type of
the requested virtual memory access and take the appropriate action to
allow or deny application's VM request. Actions taken may also include a
stack expansion if the access goes just below application's actual stack
limit.

An exploitable race condition exists in the page fault handler if two
concurrent threads sharing the same virtual memory space request stack
expansion at the same time. It is only exploitable on multiprocessor
machines (that also includes systems with hyperthreading).

more détails on http://www.isec.pl/vulnerabilities/isec-0022-pagefault.txt

TuTTle

--
--------------------------------------------------------------------------------------
PGP Public Key = http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x63DB4770
Key ID = 63DB4770 Tuttle (JFM) <b4b1 [at] free>
--------------------------------------------------------------------------------------

Attachments:

signature.asc (0.18 KB)

kerin at recruit2recruit

Jan 17, 2005, 6:58 AM

Post #2 of 5 (667 views)
Permalink

Re: Notification: Locally exploitable flaw / gain root privileges / SMP machine [In reply to]

> Published on 12 january 2005
>
> Issue:
>
> ====Locally exploitable flaw has been found in the Linux page fault
> handler
> code that allows users to gain root privileges if running on
> multiprocessor machine.
>

Hi, there's a bug open on it here:

http://bugs.gentoo.org/show_bug.cgi?id=77666

The fault is rectified in the prospective gentoo-dev-sources-2.6.10-r5
patchset (unreleased as yet) and the lastest hardened-dev-sources has
already addressed it as a result of inculding Alan Cox's patchset. Here's
the patch which is destined to go into gentoo-dev-sources:

http://dev.gentoo.org/~dsd/gentoo-dev-sources/release-10.05/dist/1140_stack-resize.patch

Be warned that the sys-uselib-fix patch apparently had to be revised in
the g-d-s patchset in order to prevent hangs at boot on some systems. More
deatils should be available in the bug.

Please note also that hyperthreaded P4 systems (even with just one
processor) with a SMP-enabled kernel or also affected.

Regards,

--Kerin Francis Millar

--
gentoo-security [at] gentoo mailing list

pjlv at mega

Jan 17, 2005, 9:35 AM

Post #3 of 5 (658 views)
Permalink

Re: Notification: Locally exploitable flaw / gain root privileges / SMP machine [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kerin Millar wrote:
|>Published on 12 january 2005
|>
|>Issue:
|>
|>====Locally exploitable flaw has been found in the Linux page fault
|>handler
|>code that allows users to gain root privileges if running on
|>multiprocessor machine.
|>
|
|
| Hi, there's a bug open on it here:
|
| http://bugs.gentoo.org/show_bug.cgi?id=77666
|
| The fault is rectified in the prospective gentoo-dev-sources-2.6.10-r5
| patchset (unreleased as yet) and the lastest hardened-dev-sources has
| already addressed it as a result of inculding Alan Cox's patchset. Here's
| the patch which is destined to go into gentoo-dev-sources:
|
|
http://dev.gentoo.org/~dsd/gentoo-dev-sources/release-10.05/dist/1140_stack-resize.patch
|
| Be warned that the sys-uselib-fix patch apparently had to be revised in
| the g-d-s patchset in order to prevent hangs at boot on some systems. More
| deatils should be available in the bug.
|
| Please note also that hyperthreaded P4 systems (even with just one
| processor) with a SMP-enabled kernel or also affected.

I haven't been able to find any code that exploits that. I'm wanting to try a
kernel 2.6.10-grsec on an SMP machine to see if it's vulnerable.

Any comments? Is there any code to try it out?

regards,
pedro venda.

- --

Pedro João Lopes Venda
email: pjlv [at] mega
http://arrakis.dhis.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB6+ldeRy7HWZxjWERApMrAKCZIOr6Q4Wvn78bfPLa1hQF0Kl8pgCg7H9G
M+LCdfWEa3TpiJmrj9u9YYw=
=eZEv
-----END PGP SIGNATURE-----

--
gentoo-security [at] gentoo mailing list

ticho at gentoo

Jan 17, 2005, 10:25 AM

Post #4 of 5 (658 views)
Permalink

Re: Notification: Locally exploitable flaw / gain root privileges / SMP machine [In reply to]

On Mon, 17 Jan 2005 16:35:41 +0000
Pedro Venda <pjlv [at] mega> wrote:

> I haven't been able to find any code that exploits that. I'm wanting to try a
> kernel 2.6.10-grsec on an SMP machine to see if it's vulnerable.
>
> Any comments? Is there any code to try it out?

There's a proof-of-concept on http://www.k-otik.net

--
/~\ The ASCII Andrej "Ticho" Kacian <ticho at gentoo dot org>
\ / Ribbon Campaign GnuPG public key ID: 7CD93FE2 (pgp.mit.edu)
X Against HTML Key fingerprint:
/ \ Email! E87D 9DEF 2A23 6FFB 7AD9 542F 4253 3A46 7CD9 3FE2

--
gentoo-security [at] gentoo mailing list

pjlv at mega

Jan 17, 2005, 10:35 AM

Post #5 of 5 (664 views)
Permalink

Re: Notification: Locally exploitable flaw / gain root privileges / SMP machine [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrej Kacian wrote:
| On Mon, 17 Jan 2005 16:35:41 +0000
| Pedro Venda <pjlv [at] mega> wrote:
|
|
|>I haven't been able to find any code that exploits that. I'm wanting to try a
|>kernel 2.6.10-grsec on an SMP machine to see if it's vulnerable.
|>
|>Any comments? Is there any code to try it out?
|
|
| There's a proof-of-concept on http://www.k-otik.net

ok,thanks :-) will try.

[]

- --

Pedro João Lopes Venda
email: pjlv [at] mega
http://arrakis.dhis.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB6/dseRy7HWZxjWERAvz0AKDA60nZQAEDKa38VehlU3+E8se2hwCghUeu
NiikRYObAyE3wnsSPvhia5M=
=wt9u
-----END PGP SIGNATURE-----

--
gentoo-security [at] gentoo mailing list

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads