Bugtraq: Re: Hotfix for new mremap vulnerability

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: Hotfix for new mremap vulnerability

From: Marc-Christian Petersen <m.c.p () gmx net>
Date: Sat, 21 Feb 2004 04:14:54 +0100

On Thursday 19 February 2004 17:32, Pavel harry_x Palát wrote:

Hi Pavel,

Greetings,

      Here (http://wizard.ath.cx/fixmremap2.tar.gz) is small hotfix for newly
discovered mremap() vulnerability. It
doesn't directly change do_mremap() code, it just overwrites syscall
handler with LKM. In my opinion it is enough to fix just mremap() syscall
because at least on x86 there are no other functions which would use
do_mremap directly. But this may not be true on others platforms (for
example ia64)...
The package contains the hotfix and a small proof of concept program which
can be used to see if kernel is vulnerable.
Use at your own risk.


- call the POC exploit on a vulnerable system
- echo "1000000" > /proc/sys/vm/max_map_count
- call the POC exploit again
- see the difference

Well, at least it prevents the POC exploit, maybe there's more though.

Kudos to the PaX team :)

-- 
ciao, Marc

By Date By Thread

Current thread:

Second critical mremap() bug found in all Linux kernels Paul Starzetz (Feb 18)
- Re: Second critical mremap() bug found in all Linux kernels Dan Yefimov (Feb 19)
- Re: Second critical mremap() bug found in all Linux kernels Jared M Breland (Feb 19)
- Hotfix for new mremap vulnerability Pavel harry_x Palát (Feb 20)
  - Re: Hotfix for new mremap vulnerability Marc-Christian Petersen (Feb 23)
- <Possible follow-ups>
- Re: Second critical mremap() bug found in all Linux kernels Steve Bremer (Feb 18)
- RE: Second critical mremap() bug found in all Linux kernels tlarholm (Feb 19)