Full Disclosure mailing list archives
Bug in PaX Linux Kernel 2.6 Patches
From: ChrisR- <chris () cr-secure net>
Date: Sat, 01 May 2004 08:06:16 -0400
http://www.cr-secure.net Found by: borg (ChrisR-) A small bug in PaX was found. What is PaX? -----------------------PaX is a collection of intrusion prevention patches for the Linux Kernel 2.2, 2.4, and 2.6.
This advisory only affects the PaX patches for the 2.6 linux kernel. PaX is located at http://pax.grsecurity.net Impact? ------------------Denial of service through putting the kernel into an infinite loop when ASLR is enabled.
Vulnerable PaX code?
-----------------------
(sorry for white space)
====================================================
'linux/mm/mmap.c'
if (start_addr != TASK_UNMAPPED_BASE) {
#ifdef CONFIG_PAX_RANDMMAP
if (current->flags & PF_PAX_RANDMMAP)
start_addr = addr =
TASK_UNMAPPED_BASE + mm->delta_mmap;
else
#endif
start_addr = addr = TASK_UNMAPPED_BASE;
goto full_search;
}
return -ENOMEM;
====================================================
And the correct code,
grab the patch at
http://pax.grsecurity.net/pax-linux-2.6.5-200405011700.patch
===================================================== Exploit Code? ----------------------- Im not releasing my exploit code for this just yet. Pherhaps I never will. But its very simple code, simple enough to do in 2 lines. Your not getting anymore proof of concept code from me on any advisories. Fix? -----------------------PaX team is aware of the problem and has already released a fix for this on the PaX homepage.
Thanks and greets: Mattjf, TLharris, Shrike, think, and efnet #cryptography http://www.cr-secure.net chris () cr-secure net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Bug in PaX Linux Kernel 2.6 Patches ChrisR- (May 01)