[UNIX] PaX Linux Kernel Patch DoS

• Previous message: SecuriTeam: "[REVS] DNS Cache Snooping"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 4 May 2004 15:51:30 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  PaX Linux Kernel Patch DoS
------------------------------------------------------------------------

SUMMARY

PaX is a collection of intrusion prevention patches for the Linux Kernel.
Among others it can disable execution of code from specific memory pages
that can help prevent buffer overflow exploitations.

A bug in the PaX kernel patch allows for a denial of service condition on
the kernel that effectively freezes the machine.

DETAILS

Vulnerable Systems:
 * PaX kernel patch for the Linux kernel 2.6, versions prior to 2004.05.01

Immune Systems:
 * PaX kernel patch version 2004.05.01

The denial-of-service condition arises when ASLR is enabled. The bug
causes the kernel to enter an infinite loop. Part of the relevant code is
presented below:
 ====================================================
'linux/mm/mmap.c'

 if (start_addr != TASK_UNMAPPED_BASE) {

#ifdef CONFIG_PAX_RANDMMAP
                if (current->flags & PF_PAX_RANDMMAP)
                    start_addr = addr =
TASK_UNMAPPED_BASE + mm->delta_mmap;
                else
#endif
                                                                       
 
                start_addr = addr = TASK_UNMAPPED_BASE;
                goto full_search;
            }
            return -ENOMEM;
 ====================================================

Vendor Status:
Gr-Security are aware of the problem and have already released a newer
version. Also, a patch can be found at
<http://pax.grsecurity.net/pax-linux-2.6.5-200405011700.patch>
http://pax.grsecurity.net/pax-linux-2.6.5-200405011700.patch.

ADDITIONAL INFORMATION

The information has been provided by <mailto:chris@cr-secure.net>
ChrisR-.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[REVS] DNS Cache Snooping"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]