Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 49637

Summary: Local DoS in PaX Linux Kernel <=2.6.5 Patches in ASLR handling code prior to 2004.05.01
Product: Gentoo Security Reporter: solar (RETIRED) <solar>
Component: KernelAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: pageexec
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://marc.theaimsgroup.com/?l=full-disclosure&m=108343408110672&w=2
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description solar (RETIRED) gentoo-dev 2004-05-01 12:11:20 UTC 
List:       full-disclosure
Subject:    [Full-Disclosure] Bug in PaX Linux Kernel 2.6 Patches
From:       ChrisR- <chris () cr-secure ! net>
Date:       2004-05-01 12:06:16
Message-ID: <409392B8.8050908 () cr-secure ! net>


http://www.cr-secure.net
Found by: borg (ChrisR-)

A small bug in PaX was found.

What is PaX?
-----------------------

PaX is a collection of intrusion prevention patches for the Linux Kernel 
2.2, 2.4, and 2.6.
This advisory only affects the PaX patches for the 2.6 linux kernel.
PaX is located at http://pax.grsecurity.net

Impact?
------------------

Denial of service through putting the kernel into an infinite loop when 
ASLR is enabled.

Vulnerable PaX code?
-----------------------
(sorry for white space)
====================================================
'linux/mm/mmap.c'

 if (start_addr != TASK_UNMAPPED_BASE) {

#ifdef CONFIG_PAX_RANDMMAP
                                if (current->flags & PF_PAX_RANDMMAP)
                                        start_addr = addr = 
TASK_UNMAPPED_BASE + mm->delta_mmap;
                                else
#endif
                                                                                      \
  
                                start_addr = addr = TASK_UNMAPPED_BASE;
                                goto full_search;
                        }
                        return -ENOMEM;


====================================================
And the correct code,

grab the patch at 
http://pax.grsecurity.net/pax-linux-2.6.5-200405011700.patch

=====================================================

Exploit Code?
-----------------------

Im not releasing my exploit code for this just yet. Pherhaps I never will.
But its very simple code, simple enough to do in 2 lines. Your not getting
anymore proof of concept code from me on any advisories.

Fix?
-----------------------

PaX team is aware of the problem and has already released a fix for this 
on the PaX homepage.

Thanks and greets:
Mattjf, TLharris, Shrike, think, and efnet #cryptography

http://www.cr-secure.net
chris[@]cr-secure[?]net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Comment 1 solar (RETIRED) gentoo-dev 2004-05-01 12:12:11 UTC 
<PaX Team> We never suggested that people should use 2.6 where there can be hostile local users.

Only arches that have don't define HAVE_ARCH_UNMAPPED_AREA will be affected by this bug, alpha/ia64/mips/parisc/sparc/sparc64/x86_64 do define this.

As disabling ASLR would be an undesirable solution you are encouraged to upgrade to the latest version.
Comment 2 PaX Team 2004-05-01 12:39:55 UTC 
correction, ia64 and sparc64 are also affected but not yet fixed in the public patch. unless someone speaks up, the fix will go out with the next normal release only (probably a few days off).
Comment 3 solar (RETIRED) gentoo-dev 2004-06-26 21:31:05 UTC 
I think this was patched in hardened-dev-sources-2.6.5-r5
h-d-s-2.6.7-r0 should be out within the week.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-06-28 01:38:13 UTC 
Yes, I confirm it was patched in 2.6.5-r5. 
This is ready for a GLSA (probably common kernel GLSA with bugs 47881 53804 and 54976).
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-07-04 11:40:43 UTC 
GLSA 200407-02