Re: CAN-2005-2617: local users can trigger a memory leak via a 32-bit application with crafted ELF headers

To: Micah <micah@riseup.net>
Cc: debian-kernel@lists.debian.org
Subject: Re: CAN-2005-2617: local users can trigger a memory leak via a 32-bit application with crafted ELF headers
From: Horms <horms@debian.org>
Date: Thu, 1 Sep 2005 17:36:31 +0900
Message-id: <[🔎] 20050901083629.GA9552@verge.net.au>
Mail-followup-to: Micah <micah@riseup.net>, debian-kernel@lists.debian.org
In-reply-to: <430FAD6F.6000007@riseup.net>
References: <430FAD6F.6000007@riseup.net>

On Fri, Aug 26, 2005 at 07:01:51PM -0500, Micah wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hey all,
> 
> 
> CAN-2005-2617 describes a local DOS on 64bit machines:
> 
> The syscall32_setup_pages function in syscall32.c for Linux kernel
> 2.6.12 and later, on the 64-bit x86 platform, does not check the return
> value of the insert_vm_struct function, which allows local users to
> trigger a memory leak via a 32-bit application with crafted ELF headers.
> 
> http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9fb1759a3102c26cd8f64254a7c3e532782c2bb8
> http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=9fb1759a3102c26cd8f64254a7c3e532782c2bb8

Thanks,

I have added this to linux-2.6-sid in SVN and it should
appear in linux-2.6 2.6.12-6

According to some git-magic I pulled in my local copy of Linus's tree, 
this change is already in 2.6.13

cg diff -r 02b3e4e2d71b6058ec11cc01c72ac651eb3ded2b -r 9fb1759a3102c26cd8f64254a7c3e532782c2bb8 arch/x86_64/ia32/syscall32.c 

I have examined 2.6.8 and I do not beleive it is vulnerable as the code 
in question was introduced by the following, post 2.6.8, change.

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1e01441051dda3bb01c455b6e20bce6d00563d82

However, some eyes over the 2.6.8 incarnation, to see if it
is broken would be appreciated:

>From arch/x86_64/ia32/syscall32.c

/* RED-PEN: This knows too much about high level VM */ 
/* Alternative would be to generate a vma with appropriate backing
 * options
   and let it be handled by generic VM */
int map_syscall32(struct mm_struct *mm, unsigned long address)
{ 
        pte_t *pte;
        pmd_t *pmd;
        int err = 0;

        down_read(&mm->mmap_sem);
        spin_lock(&mm->page_table_lock);
        pmd = pmd_alloc(mm, pgd_offset(mm, address), address);
        if (pmd && (pte = pte_alloc_map(mm, pmd, address)) != NULL) {
                if (pte_none(*pte)) { 
                        set_pte(pte,
                                mk_pte(virt_to_page(syscall32_page),
                                       PAGE_KERNEL_VSYSCALL));
                }
                /* Flush only the local CPU. Other CPUs taking a fault
                   will just end up here again */
                __flush_tlb_one(address);
        } else
                err = -ENOMEM;
        spin_unlock(&mm->page_table_lock);
        up_read(&mm->mmap_sem);
        return err;
}       


And 2.4.27 and upstream 2.4 do not have 32 bit syscalls for AMD64.

>From arch/x86_64/ia32/sys_ia32.c

asmlinkage long sys32_ni_syscall(int call)
{
        /* Disable for now because the emulation should be pretty complete 
           and we miss some syscalls from 2.6. */
#if 0
        printk(KERN_INFO "IA32 syscall %d from %s not implemented\n", call,
               current->comm);
#endif
        return -ENOSYS;
}




-- 
Horms

Reply to:

Prev by Date: Bug#289690: cannot access some files with samba
Next by Date: Bug#289690: cannot access some files with samba
Previous by thread: Bug#289690: cannot access some files with samba
Next by thread: Re: Bug#321419: linux-image-2.6.12-1-686: irq11 makes eth0 problems (Was: Re: Bug#303550: kernel-image-2.6.11-1-686: irq11 makes eth0 problems)
Index(es):
- Date
- Thread