List: full-disclosure Subject: [Full-Disclosure] Bug in PaX Linux Kernel 2.6 Patches From: ChrisR- <chris () cr-secure ! net> Date: 2004-05-01 12:06:16 Message-ID: <409392B8.8050908 () cr-secure ! net> http://www.cr-secure.net Found by: borg (ChrisR-) A small bug in PaX was found. What is PaX? ----------------------- PaX is a collection of intrusion prevention patches for the Linux Kernel 2.2, 2.4, and 2.6. This advisory only affects the PaX patches for the 2.6 linux kernel. PaX is located at http://pax.grsecurity.net Impact? ------------------ Denial of service through putting the kernel into an infinite loop when ASLR is enabled. Vulnerable PaX code? ----------------------- (sorry for white space) ==================================================== 'linux/mm/mmap.c' if (start_addr != TASK_UNMAPPED_BASE) { #ifdef CONFIG_PAX_RANDMMAP if (current->flags & PF_PAX_RANDMMAP) start_addr = addr = TASK_UNMAPPED_BASE + mm->delta_mmap; else #endif \ start_addr = addr = TASK_UNMAPPED_BASE; goto full_search; } return -ENOMEM; ==================================================== And the correct code, grab the patch at http://pax.grsecurity.net/pax-linux-2.6.5-200405011700.patch ===================================================== Exploit Code? ----------------------- Im not releasing my exploit code for this just yet. Pherhaps I never will. But its very simple code, simple enough to do in 2 lines. Your not getting anymore proof of concept code from me on any advisories. Fix? ----------------------- PaX team is aware of the problem and has already released a fix for this on the PaX homepage. Thanks and greets: Mattjf, TLharris, Shrike, think, and efnet #cryptography http://www.cr-secure.net chris[@]cr-secure[?]net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
<PaX Team> We never suggested that people should use 2.6 where there can be hostile local users. Only arches that have don't define HAVE_ARCH_UNMAPPED_AREA will be affected by this bug, alpha/ia64/mips/parisc/sparc/sparc64/x86_64 do define this. As disabling ASLR would be an undesirable solution you are encouraged to upgrade to the latest version.
correction, ia64 and sparc64 are also affected but not yet fixed in the public patch. unless someone speaks up, the fix will go out with the next normal release only (probably a few days off).
I think this was patched in hardened-dev-sources-2.6.5-r5 h-d-s-2.6.7-r0 should be out within the week.
Yes, I confirm it was patched in 2.6.5-r5. This is ready for a GLSA (probably common kernel GLSA with bugs 47881 53804 and 54976).
GLSA 200407-02