grsecurity forums

by **devastor** » Wed Feb 18, 2004 10:07 am

Another critical kernel vulnerability in mremap(3) system call was announced today..

http://isec.pl/vulnerabilities/isec-001 ... -unmap.txt

Kernel 2.4.25 has been released and fixes this issue.
However grsecurity for 2.4.24 won't patch cleanly to .25 so some changes are required.

Hopefully spender will make a new patch for it soon

by **miha** » Wed Feb 18, 2004 1:57 pm

2.4.24-grsec is not affected (at least I tried):

Code: Select all: mmap: Cannot allocate memory created ~5346 VMAs now mremapping 0x05385000 at 0x05381000 kernel may not be vulnerable

regards,
M.

by **devastor** » Wed Feb 18, 2004 2:33 pm

I wouldn't count on that.
2.4.24 with grsec 1.9.13

mmap: Cannot allocate memory
created ~65865 VMAs
now mremapping 0x40521000 at 0x4051D000
zsh: 6170 segmentation fault ./poc

dmesg:

kernel BUG at mmap.c:1424!
invalid operand: 0000
CPU: 0
EIP: 0010:[<c01b0a85>] Not tainted
EFLAGS: 00010287
eax: 4051e000 ebx: 00000001 ecx: c129bf38 edx: c129bf20
esi: c129bfc4 edi: c1306104 ebp: c13060c0 esp: c12abecc
ds: 0018 es: 0018 ss: 0018
Process poc (pid: 6170, stackpage=c12ab000)
Stack: 00000001 c129bfc4 c1306104 00001000 00001000 c01b6210 c10ba300 c01b62a0
c10ba300 c13060c0 c12aa000 00001000 c10ba31c ffff0001 00000002 00000000
c13060c0 c129bf80 c129bec0 c01b637a 40521000 00001000 00001000 00000003
Call Trace: [<c01b6210>] [<c01b62a0>] [<c01b637a>] [<c0192e93>]

Code: 0f 0b 90 05 e1 66 2f c0 8b 7c 24 10 8b 74 24 14 8b 5c 24 18

by **mar** » Wed Feb 18, 2004 2:43 pm

How long time do grsec usally use to release an update?
I dont like to have my servers standing exposed :roll:

by **spender** » Wed Feb 18, 2004 3:08 pm

I've just put a pre-release 1.9.14 patch up on http://grsecurity.net/~spender/ for testing. It's against 2.4.25. Let me know about any problems. It has the latest PaX code in it also.

-Brad

by **jagdfalke** » Wed Feb 18, 2004 3:09 pm

http://linux.bkbits.net:8080/linux-2.4/ ... set@1.1323

that is the fix for the most important vulnerability if I don't err

but I'd like to see patches for new versions asap nevertheless

cu
jagdfalke

by **miha** » Wed Feb 18, 2004 3:21 pm

devastor wrote:I wouldn't count on that.
2.4.24 with grsec 1.9.13

mmap: Cannot allocate memory
created ~65865 VMAs
now mremapping 0x40521000 at 0x4051D000
zsh: 6170 segmentation fault ./poc

dmesg:

kernel BUG at mmap.c:1424!
invalid operand: 0000
CPU: 0
EIP: 0010:[<c01b0a85>] Not tainted
EFLAGS: 00010287
eax: 4051e000 ebx: 00000001 ecx: c129bf38 edx: c129bf20
esi: c129bfc4 edi: c1306104 ebp: c13060c0 esp: c12abecc
ds: 0018 es: 0018 ss: 0018
Process poc (pid: 6170, stackpage=c12ab000)
Stack: 00000001 c129bfc4 c1306104 00001000 00001000 c01b6210 c10ba300 c01b62a0
c10ba300 c13060c0 c12aa000 00001000 c10ba31c ffff0001 00000002 00000000
c13060c0 c129bf80 c129bec0 c01b637a 40521000 00001000 00001000 00000003
Call Trace: [<c01b6210>] [<c01b62a0>] [<c01b637a>] [<c0192e93>]

Code: 0f 0b 90 05 e1 66 2f c0 8b 7c 24 10 8b 74 24 14 8b 5c 24 18

ok, here's another one:

Code: Select all: miha@devil [~]# ./p2 mmap: Cannot allocate memory created ~16558 VMAs now mremapping 0x102B5000 at 0x102B1000 kernel may not be vulnerable miha@devil [~]# uname -a Linux devil 2.4.24-grsec #1 SMP Fri Jan 9 10:57:24 EST 2004 i686 unknown

and dmesg:

Code: Select all: grsec: From xxx.xxx.xxx.xxx: attempted resource overstep by requesting 204804096 for RLIMIT_AS against limit 204800000 by (p2:26341) UID(32008) EUID(32008), parent (bash:15448) UID(32008) EUID(32008)

tested on 5 machines, and so far all of them showed the same result (as above)..

by **exci** » Wed Feb 18, 2004 3:38 pm

For those with the "kernel may not be vulnerable", what option/acl is it that stopped it?

It 'crashed' me (2.4.24-grsec-1.9.13), I can't use things like top/ps/w etc. but I can still compile my new kernel on it and use the services that I have running.
It isn't that 'critical' to me

(edit: oe, just read that you could get root access out of it, so critical++

)

Code: Select all: make[1]: Entering directory `/usr/src/linux-2.4.25/kernel' make all_targets make[2]: Entering directory `/usr/src/linux-2.4.25/kernel' gcc -D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=athlon -nostdinc -iwithprefix include -DKBUILD_BASENAME=sched -fno-omit-frame-pointer -c -o sched.o sched.c In file included from /usr/src/linux-2.4.25/include/asm/mmu_context.h:5, from sched.c:36: /usr/src/linux-2.4.25/include/asm/desc.h: In function `load_LDT': /usr/src/linux-2.4.25/include/asm/desc.h:92: warning: assignment discards qualifiers from pointer target type /usr/src/linux-2.4.25/include/asm/desc.h: In function `_load_LDT': /usr/src/linux-2.4.25/include/asm/desc.h:103: error: structure has no member named `segments' make[2]: *** [sched.o] Error 1 make[2]: Leaving directory `/usr/src/linux-2.4.25/kernel' make[1]: *** [first_rule] Error 2 make[1]: Leaving directory `/usr/src/linux-2.4.25/kernel' make: *** [_dir_kernel] Error 2

the kernel can't compile with the new grsec patch

by **drixter** » Wed Feb 18, 2004 3:42 pm

spender wrote:I've just put a pre-release 1.9.14 patch up on http://grsecurity.net/~spender/ for testing. It's against 2.4.25. Let me know about any problems. It has the latest PaX code in it also.

-Brad

Problem with compile, blank kernel compile good, with this grsec patch doesn't

Code: Select all: [root@fido linux]# make bzImage scripts/split-include include/linux/autoconf.h include/config gcc -D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=athlon -DKBUILD_BASENAME=main -c -o init/main.o init/main.c . scripts/mkversion > .tmpversion gcc -D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=athlon -DUTS_MACHINE='"i386"' -DKBUILD_BASENAME=version -c -o init/version.o init/version.c gcc -D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=athlon -DKBUILD_BASENAME=do_mounts -c -o init/do_mounts.o init/do_mounts.c make CFLAGS="-D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=athlon " -C kernel make[1]: Entering directory `/usr/src/linux-2.4.25/kernel' make all_targets make[2]: Entering directory `/usr/src/linux-2.4.25/kernel' gcc -D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=athlon -nostdinc -iwithprefix include -DKBUILD_BASENAME=sched -fno-omit-frame-pointer -c -o sched.o sched.c In file included from /usr/src/linux-2.4.25/include/asm/mmu_context.h:5, from sched.c:36: /usr/src/linux-2.4.25/include/asm/desc.h: In function `load_LDT': /usr/src/linux-2.4.25/include/asm/desc.h:92: warning: assignment discards qualifiers from pointer target type /usr/src/linux-2.4.25/include/asm/desc.h: In function `_load_LDT': /usr/src/linux-2.4.25/include/asm/desc.h:103: error: structure has no member named `segments' make[2]: *** [sched.o] Błąd 1 make[2]: Leaving directory `/usr/src/linux-2.4.25/kernel' make[1]: *** [first_rule] Błąd 2 make[1]: Leaving directory `/usr/src/linux-2.4.25/kernel' make: *** [_dir_kernel] Błąd 2

Code: Select all: [root@fido root]# ./ver_linux If some fields are empty or look unusual you may have an old version. Compare to the current minimal requirements in Documentation/Changes. Linux fido.e-utp.net 2.4.24-grsec #4 sob lut 7 11:17:50 CET 2004 i686 AMD Duron(tm) Processor Gnu C 3.3.2 Gnu make 3.80 util-linux 2.11x mount 2.11x modutils 2.4.22 e2fsprogs 1.32 jfsutils 1.0.24 Linux C Library 2.3.1 Dynamic linker (ldd) 2.3.1 Procps 3.1.14 Net-tools 1.60 Console-tools 0.2.3 Sh-utils 5.1.2 Modules Loaded nvidia cls_fw cls_u32 sch_sfq sch_htb ipt_LOG ipt_unclean ipt_MARK ipt_multiport ipt_state ipt_REJECT iptable_mangle iptable_nat ip_conntrack iptable_filter ip_tables 8139too mii crc32 nls_iso8859-2

by **devastor** » Wed Feb 18, 2004 3:42 pm

That's strange. Limitting users's virtual memory shouldn't help in this case..

testing with this PoC?

http://www.derkeiler.com/Mailing-Lists/ ... /0052.html

by **miha** » Wed Feb 18, 2004 4:06 pm

yes, using http://www.derkeiler.com/Mailing-Lists/ ... /0052.html
It does not work on both with enabled and disabled ACLs..
Using custom grsecurity config in kernel.

regards,
M.

by **underattack** » Wed Feb 18, 2004 4:35 pm

on 'make bzImage', I get the following error:

cc -D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=i686 -nostdinc -iwithprefix include -DKBUILD_BASENAME=sched -fno-omit-frame-pointer -c -o sched.o sched.c
In file included from /usr/src/linux-2.4.25/include/asm/mmu_context.h:5,
from sched.c:36:
/usr/src/linux-2.4.25/include/asm/desc.h: In function `load_LDT':
/usr/src/linux-2.4.25/include/asm/desc.h:92: warning: assignment discards qualifiers from pointer target type
/usr/src/linux-2.4.25/include/asm/desc.h: In function `_load_LDT':
/usr/src/linux-2.4.25/include/asm/desc.h:103: structure has no member named `segments'

by **devastor** » Wed Feb 18, 2004 4:51 pm

Odd, so far it has caused a DoS or an oops on all systems i've tested it on..
maybe some memory limit stops that specific exploit from working..
but it really doesn't mean you wouldn't be vulnerable.. as the exploit also says

by **mar** » Wed Feb 18, 2004 5:00 pm

Code: Select all: gcc -D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=i686 -nostdinc -iwithprefix include -DKBUILD_BASENAME=sched -fno-omit-frame-pointer -c -o sched.o sched.c In file included from /usr/src/linux-2.4.25/include/asm/mmu_context.h:5, from sched.c:36: /usr/src/linux-2.4.25/include/asm/desc.h: In function `load_LDT': /usr/src/linux-2.4.25/include/asm/desc.h:92: warning: assignment discards qualifiers from pointer target type /usr/src/linux-2.4.25/include/asm/desc.h: In function `_load_LDT': /usr/src/linux-2.4.25/include/asm/desc.h:103: structure has no member named `segments' make[2]: *** [sched.o] Error 1 make[2]: Leaving directory `/usr/src/linux-2.4.25/kernel' make[1]: *** [first_rule] Error 2 make[1]: Leaving directory `/usr/src/linux-2.4.25/kernel' make: *** [_dir_kernel] Error 2

This error do I get when trying to compile 2.4.25 with pre-release of grsec 1.9.14.

by **devastor** » Wed Feb 18, 2004 5:29 pm

This patch should fix that:

http://silen.fi/usr/grsec.patch

grsecurity forums

New kernel vulnerability

New kernel vulnerability

:)

2.4.25 patch error