mremap() bug indeed not in 2.2 (confirmed)

[Petr Baudis]

Dear diary, on Mon, Jan 05, 2004 at 11:55:08PM CET, I got a letter,
where Petr Baudis <pasky@xxxxxx> told me, that...
> Dear diary, on Mon, Jan 05, 2004 at 07:26:07PM CET, I got a letter,
> where Petr Baudis <pasky@xxxxxx> told me, that...
> > Dear diary, on Mon, Jan 05, 2004 at 06:10:53PM CET, I got a letter,
> > where Diego Calleja <grundig@xxxxxxxxxxx> told me, that...
> > > It names 2.2 too. Is there a fix for 2.2?
> > 
> > I'm trying to investigate that right now. In 2.2, mremap() doesn't yet
> > take yet the new_addr argument, therefore the "official" 2.4 fix
> > wouldn't apply at all to it. There are four possibilities:
> > 
> > * The isec.pl guys just made a mistake.
..snip..
> Actually, after looking at the code again, I'm now quite convinced 2.2
> has not this particular vulnerability. In order for the exploit to work,
> you'd need mremap() to relocate you.
..snip..
> ihaquer, any comments? Is there something we don't know about? If not,
> please correct your announcement.

It seems to be indeed so. This was just posted to bugtraq & co:

Hi,

our initial posting contains a mistake about the vulnerability of the
2.2 kernel series. Since the 2.2 kernel series doesn't support the
MREMAP_FIXED flag it is NOT vulnerable. The source states "MREMAP_FIXED
option added 5-Dec-1999" but it didn't make into recent 2.2.x. We
apologize for inconvenience.

--
Paul Starzetz
iSEC Security Research
http://isec.pl/

Here you go. And I don't need to worry about my 2.2.25-running pets ;-).

Kind regards,

-- 
 
				Petr "Pasky" Baudis
.
The brain is a wonderful organ; it starts working the moment you get up
in the morning, and does not stop until you get to work.
.
Stuff: http://pasky.or.cz/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/