Re: Root exploit in 32 bit emu
Anthony DeRobertis wrote:
On Jan 23, 2004, at 12:10, Xavier Hienne wrote:
FWIW, I have extracted a patch from the 2.6.2-rc1 kernel that seems to
work on my 2.4.23 kernel tree. I could have put it in attachment but
I'm hesitant : if this patch has not been published yet,
If it's in 2.6.2-rc1, then it's quite published already.
Actually, yes, but it's melt among many other modifications to the
kernel code. OK then, since I've had no trouble to identify the ptrace
patch, I guess it would be easy to anyone motivated enough.
So here it is. This patch works at least against 2.6.1 and 2.4.23.
I'd like to remind you that this is an excerpt of this big patch
http://www.kernel.org/pub/linux/kernel/v2.6/testing/patch-2.6.2-rc1.bz2
therefore I may have forgotten other parts of it, though I don't think
so. Use it at your own risk, of course.
Xavier
diff -Nru a/arch/x86_64/ia32/ptrace32.c b/arch/x86_64/ia32/ptrace32.c
--- a/arch/x86_64/ia32/ptrace32.c Tue Jan 20 19:51:08 2004
+++ b/arch/x86_64/ia32/ptrace32.c Tue Jan 20 19:51:08 2004
@@ -26,6 +26,10 @@
#include <linux/ptrace.h>
#include <linux/mm.h>
+/* determines which flags the user has access to. */
+/* 1 = access 0 = no access */
+#define FLAG_MASK 0x44dd5UL
+
#define R32(l,q) \
case offsetof(struct user32, regs.l): stack[offsetof(struct pt_regs, q)/8] = val; break
@@ -70,9 +74,12 @@
R32(eip, rip);
R32(esp, rsp);
- case offsetof(struct user32, regs.eflags):
- stack[offsetof(struct pt_regs, eflags)/8] = val & 0x44dd5;
+ case offsetof(struct user32, regs.eflags): {
+ __u64 *flags = &stack[offsetof(struct pt_regs, eflags)/8];
+ val &= FLAG_MASK;
+ *flags = val | (*flags & ~FLAG_MASK);
break;
+ }
case offsetof(struct user32, u_debugreg[4]):
case offsetof(struct user32, u_debugreg[5]):
Reply to: