|
Full Disclosure
mailing list archives
Bug in PaX Linux Kernel 2.6 Patches
From: ChrisR- <chris () cr-secure net>
Date: Sat, 01 May 2004 08:06:16 -0400
http://www.cr-secure.net
Found by: borg (ChrisR-)
A small bug in PaX was found.
What is PaX?
-----------------------
PaX is a collection of intrusion prevention patches for the Linux Kernel
2.2, 2.4, and 2.6.
This advisory only affects the PaX patches for the 2.6 linux kernel.
PaX is located at http://pax.grsecurity.net
Impact?
------------------
Denial of service through putting the kernel into an infinite loop when
ASLR is enabled.
Vulnerable PaX code?
-----------------------
(sorry for white space)
====================================================
'linux/mm/mmap.c'
if (start_addr != TASK_UNMAPPED_BASE) {
#ifdef CONFIG_PAX_RANDMMAP
if (current->flags & PF_PAX_RANDMMAP)
start_addr = addr =
TASK_UNMAPPED_BASE + mm->delta_mmap;
else
#endif
start_addr = addr = TASK_UNMAPPED_BASE;
goto full_search;
}
return -ENOMEM;
====================================================
And the correct code,
grab the patch at
http://pax.grsecurity.net/pax-linux-2.6.5-200405011700.patch
=====================================================
Exploit Code?
-----------------------
Im not releasing my exploit code for this just yet. Pherhaps I never will.
But its very simple code, simple enough to do in 2 lines. Your not getting
anymore proof of concept code from me on any advisories.
Fix?
-----------------------
PaX team is aware of the problem and has already released a fix for this
on the PaX homepage.
Thanks and greets:
Mattjf, TLharris, Shrike, think, and efnet #cryptography
http://www.cr-secure.net
chris () cr-secure net
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 By Date 
By Thread
Current thread:
- Bug in PaX Linux Kernel 2.6 Patches ChrisR- (May 01)
| 
Intro
