7548256 2001-11-21 10:52 +0100 /33 rader/ Juergen Pabel <spamtrap@invalid.domain> Sänt av: joel@lysator.liu.se Importerad: 2001-11-22 01:01 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <19834> Ärende: SuSE 7.3 : Kernel 2.4.10-4GB Bug ------------------------------------------------------------ From: Juergen Pabel <spamtrap@invalid.domain> To: bugtraq@securityfocus.com Message-ID: <20011121094913.46F385046@server01.intra.akkaya.de> Summary: Any local user can crash a SuSE 7.3 Kernel 2.4.10-4GB (I imagine this is a buffer overflow or pointer verification problem while in kernel mode) Details: I updated my SuSE 7.2 installation to 7.3 and now I can reproducably crash the system as any local user (ie: non-root). Out of curiousity i started the file /usr/src/linux/vmlinux (basically: the file "vmlinux" in the base kernel source directory) which is the "pure" (for lack of a better word) kernel after a successful kernel compilation. Since this file is essentially an ELF executable it's possible to start it (whether or not it actually "runs" is a different story). On a correctly running kernel it should (and does) exit with SIGSEGV, while on a 2.4.10-4GB kernel it crashes the whole system (hard reset, instantly...kaputt). I have not tested this any further except to verify that this is actually a problem with the kernel and not some other kernel module i use (vmware, pcmcia, ...) or even hardware (tested with same result on a different machine) I have also not notified the vendor yet because I haven't verified if the cause is a SuSE patch or if the problem resides within the original kernel code (I haven't even started looking for the source of the problem). If you want to contact me do so via email "jpabel at akkaya dot de" Juergen Pabel Akkaya Consulting GmbH www.akkaya.de (7548256) /Juergen Pabel <spamtrap@invalid.domain>/(Ombruten) Kommentar i text 7548537 av Luciano Miguel Ferreira Rocha <strange@nsk.yi.org> 7548537 2001-11-22 00:04 +0000 /25 rader/ Luciano Miguel Ferreira Rocha <strange@nsk.yi.org> Sänt av: joel@lysator.liu.se Importerad: 2001-11-22 02:55 av Brevbäraren Extern mottagare: Juergen Pabel <jpabel@akkaya.dot.de> Extern kopiemottagare: bugtraq@securityfocus.com Externa svar till: strange@nsk.yi.org Mottagare: Bugtraq (import) <19841> Kommentar till text 7548256 av Juergen Pabel <spamtrap@invalid.domain> Ärende: Re: SuSE 7.3 : Kernel 2.4.10-4GB Bug ------------------------------------------------------------ From: Luciano Miguel Ferreira Rocha <strange@nsk.yi.org> To: Juergen Pabel <jpabel@akkaya.dot.de> Cc: bugtraq@securityfocus.com Message-ID: <20011122000458.A1022@nsk.yi.org> I've been able to reproduce the results (instant reboot) by running the vmlinux as a normal user in a clean Linux 2.4.10 plus ext3, on Red Hat Linux system, Pentium 233 MMX processor. I coulnd't reproduce the reboot in a Piii 750, kernel 2.4.15-pre2, either normal or root user (good SIGSEGV :)). It looks like it is a problem within the original kernel, and that it has been fixed in later releases... Regards -- Luciano Rocha, strange@nsk.yi.org The trouble with computers is that they do what you tell them, not what you want. -- D. Cohen (7548537) /Luciano Miguel Ferreira Rocha <strange@nsk.yi.org>/(Ombruten) Kommentar i text 7562516 av Seth Arnold <sarnold@marcelothewonderpenguin.com> Kommentar i text 7563030 av Andrea Arcangeli <andrea@suse.de> 7562516 2001-11-21 17:47 -0800 /23 rader/ Seth Arnold <sarnold@marcelothewonderpenguin.com> Sänt av: joel@lysator.liu.se Importerad: 2001-11-23 21:46 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <19849> Kommentar till text 7548537 av Luciano Miguel Ferreira Rocha <strange@nsk.yi.org> Ärende: Re: SuSE 7.3 : Kernel 2.4.10-4GB Bug ------------------------------------------------------------ On Thu, Nov 22, 2001 at 12:04:58AM +0000, Luciano Miguel Ferreira Rocha wrote: > I've been able to reproduce the results (instant reboot) by running the > vmlinux as a normal user in a clean Linux 2.4.10 plus ext3, > on Red Hat Linux system, Pentium 233 MMX processor. I have a hunch of where the problem may have been fixed: [2,4.11-pre5] - Jakub Jelinek: ELF loader cleanups [2.4.11-pre3] - various: embarrassing lack of error checking in ELF loader [2.4.11-pre2] - Jakub Jelinek: handle more ELF loading special cases Vendors wishing to backport patches into their kernels may wish to start by looking at these patches. (I've long felt that the ELF loader is a likely place for festering problems. If anyone else wants to audit the binfmt_elf loader, I know I would be greatful. :) (7562516) /Seth Arnold <sarnold@marcelothewonderpenguin.com>/(Ombruten) Bilaga (application/pgp-signature) i text 7562517 7562517 2001-11-21 17:47 -0800 /10 rader/ Seth Arnold <sarnold@marcelothewonderpenguin.com> Importerad: 2001-11-23 21:46 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <19850> Bilaga (text/plain) till text 7562516 Ärende: Bilaga till: Re: SuSE 7.3 : Kernel 2.4.10-4GB Bug ------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7/Fko1XMg6PgdEDQRAqEsAJ9PKPwnCnXrWPuox+WXUjxbtdMjMgCg4EJp mPiB17He4LzhAchx3nWL42Y= =fN8r -----END PGP SIGNATURE----- (7562517) /Seth Arnold <sarnold@marcelothewonderpenguin.com>/ 7563030 2001-11-22 04:40 +0100 /54 rader/ Andrea Arcangeli <andrea@suse.de> Sänt av: joel@lysator.liu.se Importerad: 2001-11-23 23:45 av Brevbäraren Extern mottagare: Luciano Miguel Ferreira Rocha <strange@nsk.yi.org> Extern kopiemottagare: Juergen Pabel <jpabel@akkaya.dot.de> Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <19854> Kommentar till text 7548537 av Luciano Miguel Ferreira Rocha <strange@nsk.yi.org> Ärende: Re: SuSE 7.3 : Kernel 2.4.10-4GB Bug ------------------------------------------------------------ From: Andrea Arcangeli <andrea@suse.de> To: Luciano Miguel Ferreira Rocha <strange@nsk.yi.org> Cc: Juergen Pabel <jpabel@akkaya.dot.de>, bugtraq@securityfocus.com Message-ID: <20011122044057.M7955@athlon.random> On Thu, Nov 22, 2001 at 12:04:58AM +0000, Luciano Miguel Ferreira Rocha wrote: > > I've been able to reproduce the results (instant reboot) by running the > vmlinux as a normal user in a clean Linux 2.4.10 plus ext3, > on Red Hat Linux system, Pentium 233 MMX processor. > > I coulnd't reproduce the reboot in a Piii 750, kernel 2.4.15-pre2, either > normal or root user (good SIGSEGV :)). > > It looks like it is a problem within the original kernel, and that it > has been fixed in later releases... Correct. The bug is been fixed in 2.4.11pre3 (most of the credit for the finding the bug and fixing it goes to Linus btw). All 2.4 kernels before 2.4.12 are affected by such bug. It shouldn't be expoitable, it should only lead to a local DoS. A patch to fix vanilla 2.4.10 can be downloaded from here: ftp://ftp.us.kernel.org/pub/linux/kernel/people/andrea/patches/v2.4/2.4.10/binfmt_elf-checks-1 A patch to fix the 2.4.10.SuSE-7.3 kernel (both the original one in the CDs, and also the first kernel security update) can be downloaded from here: ftp://ftp.us.kernel.org/pub/linux/kernel/people/andrea/patches/v2.4/2.4.10.SuSE-7.3/binfmt_elf-checks-1 The above two fixes cures more than just the vmlinux crash, there were further checks missing, and the above two patches just includes the further checks as well. If you run a recent kernel (>=2.4.12) and you want the further checks (even if not necessary just for the vmlinux crash) this is the patch that you can apply: ftp://ftp.us.kernel.org/pub/linux/kernel/people/andrea/kernels/v2.4/2.4.15pre7aa1/00_binfmt-elf-checks-1 The crash is generated by the missing error checks for the mmap/brk implicit calls while mapping the elf files during execve. The x86 vmlinux elf image claims to be mapped over 3G (that's the kernel image and the kernel runs there), so the binfmt elf loader tries to map the vmlinux elf image there, and the mapping fails (because that's kernel space, not userspace) but the loader doesn't notice and crashes. On the SuSE side, more about SuSE kernel update rpm packages is to be announced soon. Andrea (7563030) /Andrea Arcangeli <andrea@suse.de>/(Ombruten)