<<< Date Index >>>     <<< Thread Index >>>

Re: Hot fix for do_brk bug



Hello Shane,

canon@xxxxxxxxx wrote:
I've written a linux kernel module that can be used to hot fix a
Linux system for the bug in do_brk.  It scans the
kernel space and replaces jmp and calls to do_brk
to point to a wrapper routine instead.  It also maps
the symbol table to point to the wrapper.  This only
works on x86 and it has only been tested with RH kernels
2.4.18-27.7.xsmp and 2.4.20-20.7smp.  It is quite possible
this could crash or screw-up a system, so use at your own
risk.  I've tested the module against the proof of concept code
written and posted by Christophe Devine.  The module catches
the exploit and logs the attempt.

It would be less intrusive to the kernel to supply a fixed do_brk()
and replace the do_brk with a jump to your version.

This way you only have to touch one place
in the kernel space (and no guesswork, no modify
of kernel data that might look like a pointer to do_brk()
but is really something else...)

Bye

Goetz

--
Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0,  Fax: +49-(0)40 80 80 26 -126

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature