mremap() bug IMHO not in 2.2

From: Petr Baudis
Date: Mon Jan 05 2004 - 18:00:45 EST

Next message: Matthew Dobson: "Re: [TRIVIAL PATCH] Use valid node number when unmapping CPUs"
Previous message: Tomas Szepe: "Re: linux-2.4.24 released"
In reply to: Petr Baudis: "mremap() bug and 2.2?"
Next in thread: Linus Torvalds: "Re: mremap() bug IMHO not in 2.2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear diary, on Mon, Jan 05, 2004 at 07:26:07PM CET, I got a letter,
where Petr Baudis <pasky@xxxxxx> told me, that...
> Dear diary, on Mon, Jan 05, 2004 at 06:10:53PM CET, I got a letter,
> where Diego Calleja <grundig@xxxxxxxxxxx> told me, that...
> > El Mon, 5 Jan 2004 13:26:23 -0200 (BRST) Marcelo Tosatti <marcelo.tosatti@xxxxxxxxxxxx> escribió:
> >
> > > On Mon, 5 Jan 2004, Robert L. Harris wrote:
> > > > Just read this on full disclosure:
> > > >
> > > > http://isec.pl/vulnerabilities/isec-0013-mremap.txt
> > [...]
> > > It is possible that the problem is exploitable. There is no known public
> > > exploit yet, however.
> > >
> > > 2.4.24 includes a fix for this (mm/mremap.c diff)
> >
> > It names 2.2 too. Is there a fix for 2.2?
>
> I'm trying to investigate that right now. In 2.2, mremap() doesn't yet
> take yet the new_addr argument, therefore the "official" 2.4 fix
> wouldn't apply at all to it. There are four possibilities:
>
> * The isec.pl guys just made a mistake.
>
> * 2.2's get_unmapped_area() can return dangerous pages for len == 0,
> whilst the 2.4's get_unmapped_area() cannot. (I'm not sure, looking into
> that code right now.)
>
> * 2.4's fix is incorrect.
>
> * I'm missing something obvious.

Actually, after looking at the code again, I'm now quite convinced 2.2
has not this particular vulnerability. In order for the exploit to work,
you'd need mremap() to relocate you.

But mremap() won't take newaddr argument, so you can't get yourself
relocated explicitly. And mremap() will not relocate yourself implicitly
to some random spot neither, because since newlen is zero, it will
always trigger the shrinking code, which will just munmap() and bail
out.

ihaquer, any comments? Is there something we don't know about? If not,
please correct your announcement.

Kind regards,

--

Petr "Pasky" Baudis
.
The brain is a wonderful organ; it starts working the moment you get up
in the morning, and does not stop until you get to work.
.
Stuff: http://pasky.or.cz/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Matthew Dobson: "Re: [TRIVIAL PATCH] Use valid node number when unmapping CPUs"
Previous message: Tomas Szepe: "Re: linux-2.4.24 released"
In reply to: Petr Baudis: "mremap() bug and 2.2?"
Next in thread: Linus Torvalds: "Re: mremap() bug IMHO not in 2.2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]