Hello Shane, canon@xxxxxxxxx wrote:
I've written a linux kernel module that can be used to hot fix a Linux system for the bug in do_brk. It scans the kernel space and replaces jmp and calls to do_brk to point to a wrapper routine instead. It also maps the symbol table to point to the wrapper. This only works on x86 and it has only been tested with RH kernels 2.4.18-27.7.xsmp and 2.4.20-20.7smp. It is quite possible this could crash or screw-up a system, so use at your own risk. I've tested the module against the proof of concept code written and posted by Christophe Devine. The module catches the exploit and logs the attempt.
It would be less intrusive to the kernel to supply a fixed do_brk() and replace the do_brk with a jump to your version. This way you only have to touch one place in the kernel space (and no guesswork, no modify of kernel data that might look like a pointer to do_brk() but is really something else...) Bye Goetz -- Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de Sonninstr. 24-28, 20097 Hamburg, Germany Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature