Bugtraq mailing list archives

RE: Linux kernel do_mremap() proof-of-concept exploit code

From: <tlarholm () pivx com>
Date: Tue, 6 Jan 2004 10:08:10 -0800

From: Bruno Lustosa [mailto:bruno () lustosa net] 
Tested it under Linux 2.6.1-rc1, and surprisingly, 
the machine rebooted instantly. Isn't the mremap 
bug supposed to be fixed on the 2.6 series?


It is, but not in 2.6.1-rc1.

From http://isec.pl/vulnerabilities/isec-0013-mremap.txt:


"Version:   2.2, 2.4 and 2.6 series"

"The exploitability of the discovered vulnerability is possible,
although not a trivial one. We have identified at least two different
attack vectors for the  2.4 kernel series."

And from
http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.1-rc2

"<torvalds () home osdl org>
        Don't allow mremap of zero-sized areas."

The do_mremap() vulnerability is fixed in the 2.6 kernel only in
2.6.1-rc2, where as you tested on 2.6.1-rc1.

The latest version of the 2.2 kernel is 2.2.25, but there was no
immediate changelog available. However, it was created on January 3 so I
suspect it would have the patch?


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor () pivx com
949-231-8496

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net>

Current thread:

Linux kernel do_mremap() proof-of-concept exploit code Christophe Devine (Jan 06)
- Re: Linux kernel do_mremap() proof-of-concept exploit code Bruno Lustosa (Jan 06)
- Re: Linux kernel do_mremap() proof-of-concept exploit code Alexandre Hautequest (Jan 06)
- Re: Linux kernel do_mremap() proof-of-concept exploit code Angelo Dell'Aera (Jan 07)
  - Re: Linux kernel do_mremap() proof-of-concept exploit code D Lambrou (Jan 07)
- <Possible follow-ups>
- RE: Linux kernel do_mremap() proof-of-concept exploit code tlarholm (Jan 06)