New mremap bug

Billy O'Connor billyoc at gnuyork.org
Wed Feb 18 10:36:28 PST 2004


Christophe Devine <devine at iie.cnam.fr> writes:
> Have a look at the kernel messages with dmesg, if you see stuff like:
>
> kernel BUG at mmap.c:1194!
> invalid operand: 0000
> CPU:    0
> EIP:    0010:[<c01239b5>]    Not tainted
>
> Then your kernel is almost certainly vulnerable. There's no root exploit
> available yet though ;-)

Feb 18 13:35:06 dps11 kernel:  kernel BUG at mmap.c:1197!
Feb 18 13:35:06 dps11 kernel: invalid operand: 0000
Feb 18 13:35:06 dps11 kernel: loop parport_pc lp parport md msdos autofs4 af_packet efs hfs minix nls_iso8859-1 ntfs xfs reiserfs agpgart cs46xx ac97_codec soundcore eepro100 mii serial usb-uhci usbcore ds yenta_socket pcmcia_core apm rtc ext3 jbd  
Feb 18 13:35:06 dps11 kernel: CPU:    0
Feb 18 13:35:06 dps11 kernel: EIP:    0010:[insert_vm_struct+60/149]    Not tainted
Feb 18 13:35:06 dps11 kernel: EFLAGS: 00010287
Feb 18 13:35:06 dps11 kernel: eax: 3ffe2000   ebx: c6a069b0   ecx: c6a06960   edx: c6a06a00
Feb 18 13:35:06 dps11 kernel: esi: c6a069f4   edi: c6a069a4   ebp: cb9072d0   esp: c7c85f44
Feb 18 13:35:06 dps11 kernel: ds: 0018   es: 0018   ss: 0018
Feb 18 13:35:06 dps11 kernel: Process ck1 (pid: 26105, stackpage=c7c85000)
Feb 18 13:35:06 dps11 kernel: Stack: c6a069b0 c6a069f4 c6a069a4 3ffe1000 3ffe1000 c0131b6d cb9072d0 c0131bf4 
Feb 18 13:35:06 dps11 kernel:        cb9072d0 c6a06960 c7c84000 3ffe1000 00000003 00001000 cb9072d0 00000002 
Feb 18 13:35:06 dps11 kernel:        00000000 c7c85fbc c6a06960 c7c84000 c6a06a50 c0131cac 3ffe5000 00001000 
Feb 18 13:35:06 dps11 kernel: Call Trace: [do_mremap+1285/1552]  [do_mremap+1420/1552]  [sys_mremap+52/75]  [system_call+51/56] 
Feb 18 13:35:06 dps11 kernel: Code: 0f 0b ad 04 a1 ae 24 c0 8b 7c 24 10 8b 74 24 14 8b 5c 24 18 



More information about the lfs-security mailing list