[rsbac] <2.4.24 hole
Bencsath Boldizsar
boldi at mail2003.etl.hu
Thu Feb 19 17:13:30 CET 2004
If anyone has not read the news lately, a new (18.feb.2004) kernel hole is
fixed in 2.4.25. If anyone does not want to wait for a new
/enteryourfavoritepatchhere/ kernel version, the attached patch solves the
problem on 2.4.24.
http://linux.bkbits.net:8080/linux-2.4/patch@1.1323?nav=index.html|ChangeSet@-1d|cset@1.1323
sample exploit:
http://www.derkeiler.com/Mailing-Lists/Securiteam/2004-02/0052.html
(on my grsec+rsbac patched 2.4.24 with grsecurity memory randomization
turned on it seems that this exploit results a segfault and a kernel error
message on the mmap.c)
--------------------------------
Bencsath Boldizsar
boldi at mail2003.etl.hu
--------------------------------
-------------- next part --------------
--- a/mm/mremap.c Thu Feb 19 07:03:31 2004
+++ b/mm/mremap.c Thu Feb 19 07:03:31 2004
@@ -258,16 +258,20 @@
if ((addr <= new_addr) && (addr+old_len) > new_addr)
goto out;
- do_munmap(current->mm, new_addr, new_len);
+ ret = do_munmap(current->mm, new_addr, new_len);
+ if (ret && new_len)
+ goto out;
}
/*
* Always allow a shrinking remap: that just unmaps
* the unnecessary pages..
*/
- ret = addr;
if (old_len >= new_len) {
- do_munmap(current->mm, addr+new_len, old_len - new_len);
+ ret = do_munmap(current->mm, addr+new_len, old_len - new_len);
+ if (ret && old_len != new_len)
+ goto out;
+ ret = addr;
if (!(flags & MREMAP_FIXED) || (new_addr == addr))
goto out;
}
More information about the rsbac
mailing list