PaX Linux Kernel 2.6 Patches DoS Advisory
http://www.cr-secure.net
Found by: borg (ChrisR-)
A small bug in PaX was found.
What is PaX?
-----------------------
PaX is a collection of intrusion prevention patches for the Linux Kernel
2.2, 2.4, and 2.6.
This advisory only affects the PaX patches for the 2.6 linux kernel.
PaX is located at http://pax.grsecurity.net
Impact?
------------------
Denial of service through putting the kernel into an infinite loop when
ASLR is enabled.
Vulnerable PaX code?
-----------------------
(sorry for white space)
====================================================
'linux/mm/mmap.c'
if (start_addr != TASK_UNMAPPED_BASE) {
#ifdef CONFIG_PAX_RANDMMAP
if (current->flags & PF_PAX_RANDMMAP)
start_addr = addr =
TASK_UNMAPPED_BASE + mm->delta_mmap;
else
#endif
start_addr = addr = TASK_UNMAPPED_BASE;
goto full_search;
}
return -ENOMEM;
====================================================
And the correct code,
grab the patch at
http://pax.grsecurity.net/pax-linux-2.6.5-200405011700.patch
=====================================================
Exploit Code?
-----------------------
Im not releasing my exploit code for this just yet. Pherhaps I never will.
But its very simple code, simple enough to do in 2 lines. Your not getting
anymore proof of concept code from me on any advisories.
Fix?
-----------------------
PaX team is aware of the problem and has already released a fix for this
on the PaX homepage.
Thanks and greets:
Mattjf, TLharris, Shrike, think, and efnet #cryptography
http://www.cr-secure.net
chris@xxxxxxxxxxxxx