Re: Hot fix for do_brk bug

canon_at_nersc.gov
Date: 12/09/03

Next message: Craig Paterson: "Re: Dell BIOS DoS"

Previous message: jon schatz: "Re: Dell BIOS DoS"
Maybe in reply to: canon_at_nersc.gov: "Hot fix for do_brk bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: bugtraq@securityfocus.com
Date: Tue, 09 Dec 2003 11:59:44 -0800

I had a similar approach working, but was still tweaking the implementation. You beat
me to the punch. Doh! My working version did an objdump of vmlinux to determine the
opcode boundaries.

One potential flaw in this approach is the instructions that are
over-written by the jump and copied to the assembler routine (dobrk2)
can't include any operations that have relative addresses or offsets.
Fortunately, this seems quite rare from a brief scan of various kernel
routines. However, its probably worth checking the assembler routine
before issuing the module load. I still think this is a better approach than
my initial version that "fixed" calls and jumps.

Nice work.

--Shane

> > It would be less intrusive to the kernel to supply a fixed do_brk()
> > and replace the do_brk with a jump to your version.
>
> I've written similar patch few days ago. The patch only modifies first
> instructions of do_brk() (it replaces them with jmp to function in LKM.
> It can be downloaded from http://wizard.ath.cx/fixbrk.tar.gz
>
> But beware, I wrote it in rush and it's pretty odly written :-) But it
> worked on my two servers (both were running 2.4.21 kernel with grsecurity
> patch).
>
> Greetings
>
> Pavel Palát
>
> --
> Pavel "harry_x" Palát
> harry_x@babylon5.cz
> irc: #mistral.cz on IRCnet
>
> The only way of finding the limits to the possible is by going beyond them to the impossible
> Arthur C. Clark
>

------------------------------------------------------------------------
Shane Canon voice: 510-486-6981
PSDF Project Lead fax: 510-486-7520
National Energy Research Scientific
Computing Center
1 Cyclotron Road Mailstop 943-256
Berkeley, CA 94720 canon@nersc.gov
------------------------------------------------------------------------

Next message: Craig Paterson: "Re: Dell BIOS DoS"

Previous message: jon schatz: "Re: Dell BIOS DoS"
Maybe in reply to: canon_at_nersc.gov: "Hot fix for do_brk bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: [RFC PATCH] Add TRACE_IRQFLAGS_SUPPORT, LOCKDEP_SUPPORT then enable ftrace for ia64
... The following rfc patch is to add lockdep support and IRQ-flags ... state tracing support for ia64 architecture based on instructions ... et al architecture code into stacktrace.c. ...
(Linux-Kernel)
Re: help with worm patch
... Followed your instructions to the T. Thanks for the help ... install the patch: ... Critical Security Patch for Windows XP ... (32-bit version - direct download) ...
(microsoft.public.windowsxp.security_admin)
Re: [PATCH -v4 9/9] tracing: add function graph tracer support for MIPS
... problems with module support using -mlong-calls? ... I have never sent a patch to gcc before :-) but perhaps somebody have ... I was thinking about dynamic tracing, and I think a toolchain patch ... with "nop" instructions in the code-patching function called by ...
(Linux-Kernel)
Re: W32.Bobax.C
... Have installed the patch and followed instructions (apart from editing registry as there were no changes made) but still cant use IE online. ... applied the patch for the vulnerability described in Microsoft Security ...
(microsoft.public.windowsxp.general)
Re: upgrade from oracle 9.2.0.1.0 to 9.2.0.5.0
... leehi wrote: ... Use one of the search functions to find your patch (note the Quick ... It's a good idea to read the instructions every time you ... other products besides the database, ...
(comp.databases.oracle.server)