Re: mremap() bug IMHO not in 2.2

From: Martin Loschwitz
Date: Tue Jan 06 2004 - 04:25:19 EST


On Mon, Jan 05, 2004 at 04:08:36PM -0800, Linus Torvalds wrote:
>
>
> The only page that should matter is likely the one at 0xC0000000, where
> there can be extra complications from the fact that we use 4MB pages for
> the kernel, so when fork/exit tries to walk the page table, it would get
> bogus results.
>
This is right, the proof-of-concept exploit to be found on full-disclosure
exactly uses that memory address.

> Still, I'd expect that to lead to a triple fault (and thus a reboot)
> rather than any elevation of privileges..
>
I agree with Linus. I tested the POC-exploit here on Linux 2.4.22-rc2
and Linux 2.4.23 and everything it does is to simply reboot the box. As
for Linux 2.6.0-test9, I get something like a hangup (the same sound is
played again and again and only reset helps).

I actually am not sure whether this should be called 'local privlige
escalation' or rather 'possibility for Denial of Service attacks'.

> Interesting, in any case. Good catch from whoever found it.
>
> Linus
> -

--
.''`. Martin Loschwitz Debian GNU/Linux developer
: :' : madkiss@xxxxxxxxxxx madkiss@xxxxxxxxxx
`. `'` http://www.madkiss.org/ people.debian.org/~madkiss/
`- Use Debian GNU/Linux 3.0! See http://www.debian.org/

Attachment: signature.asc
Description: Digital signature