RE: Linux kernel do_mremap() proof-of-concept exploit code
> From: Bruno Lustosa [mailto:bruno@xxxxxxxxxxx]
> Tested it under Linux 2.6.1-rc1, and surprisingly,
> the machine rebooted instantly. Isn't the mremap
> bug supposed to be fixed on the 2.6 series?
It is, but not in 2.6.1-rc1.
>From http://isec.pl/vulnerabilities/isec-0013-mremap.txt:
"Version: 2.2, 2.4 and 2.6 series"
"The exploitability of the discovered vulnerability is possible,
although not a trivial one. We have identified at least two different
attack vectors for the 2.4 kernel series."
And from
http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.1-rc2
"<torvalds@xxxxxxxxxxxxx>
Don't allow mremap of zero-sized areas."
The do_mremap() vulnerability is fixed in the 2.6 kernel only in
2.6.1-rc2, where as you tested on 2.6.1-rc1.
The latest version of the 2.2 kernel is 2.2.25, but there was no
immediate changelog available. However, it was created on January 3 so I
suspect it would have the patch?
Regards
Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@xxxxxxxx
949-231-8496
PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net>