<<< Date Index >>>     <<< Thread Index >>>

RE: Linux kernel do_mremap() proof-of-concept exploit code



> From: Bruno Lustosa [mailto:bruno@xxxxxxxxxxx] 
> Tested it under Linux 2.6.1-rc1, and surprisingly, 
> the machine rebooted instantly. Isn't the mremap 
> bug supposed to be fixed on the 2.6 series?

It is, but not in 2.6.1-rc1.

>From http://isec.pl/vulnerabilities/isec-0013-mremap.txt:

"Version:   2.2, 2.4 and 2.6 series"

"The exploitability of the discovered vulnerability is possible,
although not a trivial one. We have identified at least two different
attack vectors for the  2.4 kernel series."

And from
http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.1-rc2

"<torvalds@xxxxxxxxxxxxx>
        Don't allow mremap of zero-sized areas."

The do_mremap() vulnerability is fixed in the 2.6 kernel only in
2.6.1-rc2, where as you tested on 2.6.1-rc1.

The latest version of the 2.2 kernel is 2.2.25, but there was no
immediate changelog available. However, it was created on January 3 so I
suspect it would have the patch?


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@xxxxxxxx
949-231-8496

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net>