[rsbac] <2.4.24 hole

[Bencsath Boldizsar]

If anyone has not read the news lately, a new (18.feb.2004) kernel hole is
fixed in 2.4.25. If anyone does not want to wait for a new
/enteryourfavoritepatchhere/ kernel version, the attached patch solves the
problem on 2.4.24.
http://linux.bkbits.net:8080/linux-2.4/patch@1.1323?nav=index.html|ChangeSet@-1d|cset@1.1323

sample exploit:
http://www.derkeiler.com/Mailing-Lists/Securiteam/2004-02/0052.html

(on my grsec+rsbac patched 2.4.24 with grsecurity memory randomization
turned on it seems that this exploit results a segfault and a kernel error
message on the mmap.c)

--------------------------------
Bencsath Boldizsar
boldi at mail2003.etl.hu
--------------------------------
-------------- next part --------------
--- a/mm/mremap.c	Thu Feb 19 07:03:31 2004
+++ b/mm/mremap.c	Thu Feb 19 07:03:31 2004
@@ -258,16 +258,20 @@
 		if ((addr <= new_addr) && (addr+old_len) > new_addr)
 			goto out;
 
-		do_munmap(current->mm, new_addr, new_len);
+		ret = do_munmap(current->mm, new_addr, new_len);
+		if (ret && new_len)
+			goto out;
 	}
 
 	/*
 	 * Always allow a shrinking remap: that just unmaps
 	 * the unnecessary pages..
 	 */
-	ret = addr;
 	if (old_len >= new_len) {
-		do_munmap(current->mm, addr+new_len, old_len - new_len);
+		ret = do_munmap(current->mm, addr+new_len, old_len - new_len);
+		if (ret && old_len != new_len)
+			goto out;
+		ret = addr;
 		if (!(flags & MREMAP_FIXED) || (new_addr == addr))
 			goto out;
 	}