Bugtraq mailing list archives
Re: Hot fix for do_brk bug
From: Goetz Babin-Ebell <babin-ebell () trustcenter de>
Date: Fri, 05 Dec 2003 22:31:27 +0100
Hello Shane, canon () nersc gov wrote:
I've written a linux kernel module that can be used to hot fix a Linux system for the bug in do_brk. It scans the kernel space and replaces jmp and calls to do_brk to point to a wrapper routine instead. It also maps the symbol table to point to the wrapper. This only works on x86 and it has only been tested with RH kernels 2.4.18-27.7.xsmp and 2.4.20-20.7smp. It is quite possible this could crash or screw-up a system, so use at your own risk. I've tested the module against the proof of concept code written and posted by Christophe Devine. The module catches the exploit and logs the attempt.
It would be less intrusive to the kernel to supply a fixed do_brk() and replace the do_brk with a jump to your version. This way you only have to touch one place in the kernel space (and no guesswork, no modify of kernel data that might look like a pointer to do_brk() but is really something else...) Bye Goetz -- Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de Sonninstr. 24-28, 20097 Hamburg, Germany Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Hot fix for do_brk bug canon (Dec 05)
- Re: Hot fix for do_brk bug Goetz Babin-Ebell (Dec 05)
- Re: Hot fix for do_brk bug Gunnar Wolf (Dec 05)
- Re: Hot fix for do_brk bug Pavel harry_x Palát (Dec 08)
- Re: Hot fix for do_brk bug Mariusz Woloszyn (Dec 09)
- Re: Hot fix for do_brk bug canon (Dec 09)
- Re: Hot fix for do_brk bug Goetz Babin-Ebell (Dec 05)