Hotfix for new mremap vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Hotfix for new mremap vulnerability
From: Pavel harry_x Palát <harry_x@xxxxxxxxxxx>
Date: Thu, 19 Feb 2004 17:32:30 +0100 (CET)
In-reply-to: <Pine.LNX.4.44.0402181250420.21492-100000@xxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <Pine.LNX.4.44.0402181250420.21492-100000@xxxxxxx>

Greetings,

        Here (http://wizard.ath.cx/fixmremap2.tar.gz) is small hotfix for newly
discovered mremap() vulnerability. It
doesn't directly change do_mremap() code, it just overwrites syscall
handler with LKM. In my opinion it is enough to fix just mremap() syscall 
because at
least on x86 there are no other functions which would use do_mremap
directly. But this may not be true on others platforms (for example
ia64)...

The package contains the hotfix and a small proof of concept program which
can be used to see if kernel is vulnerable.

Use at your own risk.

Pavel Palát

--
Pavel "harry_x" Palát
    harry_x@xxxxxxxxxxx
    irc: #mistral.cz on IRCnet

    The only way of finding the limits to the possible is by going beyond them 
to the impossible
                                                  Arthur C. Clark

Follow-Ups:
- Re: Hotfix for new mremap vulnerability
  - From: Marc-Christian Petersen

References:
- Second critical mremap() bug found in all Linux kernels
  - From: Paul Starzetz

Prev by Date: Re: SNMP community string disclosure in Linksys WAP55AG
Next by Date: Remote Buffer Overflow in PSOProxy 0.91
Previous by thread: Re: Second critical mremap() bug found in all Linux kernels
Next by thread: Re: Hotfix for new mremap vulnerability
Index(es):
- Date
- Thread