New mremap bug

Jonas Norlander jonas.norlander at ovikonline.com
Wed Feb 18 13:05:07 PST 2004


On Wed, Feb 18, 2004 at 06:34:20PM +0000, Christophe Devine wrote:
> Billy O'Connor <billyoc at gnuyork.org> wrote:
> 
> > > For those of you who'd want to test for this vulnerability,
> > > I've written some simple exploit code:
> > > http://linuxfromscratch.org/~devine/mremap_poc_2.c
> 
> > With MREMAP_MAYMOVE | MREMAP_FIXED, I segfaulted, with MREMAP_MAYMOVE
> > alone, it ran.
> 
> Have a look at the kernel messages with dmesg, if you see stuff like:
> 
> kernel BUG at mmap.c:1194!
> invalid operand: 0000
> CPU:    0
> EIP:    0010:[<c01239b5>]    Not tainted
> 
> Then your kernel is almost certainly vulnerable. There's no root exploit
> available yet though ;-)
> 

Hi! 

I running kernel 2.4.24 with grsecurity 1.9.13 and propolic pathes.

Steve Bremer wrote to the bugtraq list:
-8<-------
I think it's worth noting that those who have been using either the
2.4.23-ow2 or the 2.4.24-ow1 kernel patches from the Openwall Project
are not vulnerable to this latest mremap() bug
-8<-------

As i understanding it I should not be vulnerable to this bug 
as grsecurity and Openwall is protecting for the same thing but i got
this output when running "mremap_poc_2.c".

./a.out
mmap: Cannot allocate memory
created ~65881 VMAs
now mremapping 0x40561000 at 0x4055D000
Segmentation fault

And this in the log:
:
kernel: kernel BUG at mmap.c:1424!
kernel: invalid operand: 0000
kernel: CPU:    0
kernel: EIP:    0010:[insert_vm_struct+61/176]    Not tainted
kernel: EFLAGS: 00010287
kernel: eax: 40546000   ebx: caf8a780   ecx: caf8a780   edx: caf8a6c0
kernel: esi: caf8a764   edi: caf8a7c4   ebp: 00001000   esp: ca69bee4
kernel: ds: 0018   es: 0018   ss: 0018
kernel: Process a.out (pid: 29271, stackpage=ca69b000)
kernel: Stack: caf8a780 caf8a764 caf8a7c4 00001000 00001000 c01a61a4 cce9f140 c01a6230
kernel:        cce9f140 caf8a780 ca69a000 00001000 cce9f15c ffff0001 00000002 00000000
kernel:        caf8a780 cce9f140 caf8a720 caf8a660 c01a630a 40549000 00001000 00001000
kernel: Call Trace:    [do_mremap+1800/2092] [do_mremap+1940/2092] [sys_mremap+66/96] [system_call+51/80] [system_call+77/80]
kernel:
kernel: Code: 0f 0b 90 05 21 42 2a c0 8b 6c 24 10 8b 7c 24 14 8b 74 24 18

Do I need to worry?

/Jonas




More information about the lfs-security mailing list