[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Root exploit in 32 bit emu

Anthony DeRobertis wrote:

On Jan 23, 2004, at 12:10, Xavier Hienne wrote:

FWIW, I have extracted a patch from the 2.6.2-rc1 kernel that seems to work on my 2.4.23 kernel tree. I could have put it in attachment but I'm hesitant : if this patch has not been published yet,

If it's in 2.6.2-rc1, then it's quite published already.

Actually, yes, but it's melt among many other modifications to the kernel code. OK then, since I've had no trouble to identify the ptrace patch, I guess it would be easy to anyone motivated enough.

So here it is. This patch works at least against 2.6.1 and 2.4.23.
I'd like to remind you that this is an excerpt of this big patch http://www.kernel.org/pub/linux/kernel/v2.6/testing/patch-2.6.2-rc1.bz2 therefore I may have forgotten other parts of it, though I don't think so. Use it at your own risk, of course.

diff -Nru a/arch/x86_64/ia32/ptrace32.c b/arch/x86_64/ia32/ptrace32.c
--- a/arch/x86_64/ia32/ptrace32.c	Tue Jan 20 19:51:08 2004
+++ b/arch/x86_64/ia32/ptrace32.c	Tue Jan 20 19:51:08 2004
@@ -26,6 +26,10 @@
 #include <linux/ptrace.h>
 #include <linux/mm.h>
+/* determines which flags the user has access to. */
+/* 1 = access 0 = no access */
+#define FLAG_MASK 0x44dd5UL
 #define R32(l,q) \
 	case offsetof(struct user32, regs.l): stack[offsetof(struct pt_regs, q)/8] = val; break
@@ -70,9 +74,12 @@
 	R32(eip, rip);
 	R32(esp, rsp);
-	case offsetof(struct user32, regs.eflags): 
-		stack[offsetof(struct pt_regs, eflags)/8] = val & 0x44dd5; 
+	case offsetof(struct user32, regs.eflags): {
+		__u64 *flags = &stack[offsetof(struct pt_regs, eflags)/8];
+		val &= FLAG_MASK;
+		*flags = val | (*flags & ~FLAG_MASK);
+	}
 	case offsetof(struct user32, u_debugreg[4]): 
 	case offsetof(struct user32, u_debugreg[5]):

Reply to: