Re: Hot fix for do_brk bug

[Gunnar Wolf <gwolf () gwolf cx>]

Goetz Babin-Ebell dijo [Fri, Dec 05, 2003 at 10:31:27PM +0100]:
> > I've written a linux kernel module that can be used to hot fix a
> > Linux system for the bug in do_brk.  It scans the
> > kernel space and replaces jmp and calls to do_brk
> > to point to a wrapper routine instead.  It also maps
> > the symbol table to point to the wrapper.  This only
> > works on x86 and it has only been tested with RH kernels
> > 2.4.18-27.7.xsmp and 2.4.20-20.7smp.  It is quite possible
> > this could crash or screw-up a system, so use at your own
> > risk.  I've tested the module against the proof of concept code
> > written and posted by Christophe Devine.  The module catches
> > the exploit and logs the attempt.
>
> It would be less intrusive to the kernel to supply a fixed do_brk()
> and replace the do_brk with a jump to your version.
>
> This way you only have to touch one place
> in the kernel space (and no guesswork, no modify
> of kernel data that might look like a pointer to do_brk()
> but is really something else...)

Not only that - In order to be really effective, the hotfix would
require to remain active and check each module loaded into the kernel,
as modules might point to the real do_brk() call. Yes, it becomes
_much_ harder for an intruder to exploit it, but the patch is not
perfect. 

...But anyway, it is quite welcome, a very valuable work. Of course,
the only way out of troubles is to install a new kernel. Sadly, many
people handle uptimes as pissing contests and disregard updating their
systems. 

Greetings,

-- 
Gunnar Wolf - gwolf () gwolf cx - (+52-55)5630-9700 ext. 1366
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973  F800 D80E F35A 8BB5 27AF