Re: Linux kernel exploit



On Fri Dec 10, 2010 at 17:52:37, Wolf wrote:
Well, I'm a first time writer to Bugtraq, but this is interesting. I
commented out the call to clone(), and after it simply called
trigger(fildes), and apparently, it works. Only tested on a stock
install of Ubuntu 10.10, but I thought the bug was in clone()?

No, the bug is not checking address overwrite limit in the do_exit() path,
which migh offer the chance to overwrite an arbitrary memory location. The
clone call in the supplied poc just made sure do_exit() actually accesses
the memory clearing the child tid (using the CLONE_CHILD_CLEARTID). So if
your running process why so ever also had CLONE_CHILD_CLEARTID set it would
trigger the problem as well.



Relevant Pages

  • Re: [BUG] Queue.Clone defective
    ... This is a known bug and has been fixed in the next release. ... I don't know anything about Rotor but I did recode Clone myself ... | Which relies on a helper method, ...
    (microsoft.public.dotnet.framework.clr)
  • Re: [BUG] 2.6.11- sym53c8xx Broken on pp64
    ... Are you sure it's plain 2.6.11 and not some bk clone of after 2.6.11 was ... I just found a bug in the ppc64 ioremap code that got triggered by ... the set_pte_atpatch that went into bk after 2.6.11 and that triggers ... send the line "unsubscribe linux-kernel" in ...
    (Linux-Kernel)
  • PROBLEM: fork() BUG invalidates file descriptors
    ... fork() BUG invalidates file descriptors! ... Take a process P1 that spawns a thread T (aka. a clone with CLONE_FILES). ...
    (Linux-Kernel)
  • Re: MFC ZFS: when?
    ... encountering this bug ... Hopefully it gets mfc before the diff between the real fs and the clone becomes so large that my pool fills up :-) ...
    (freebsd-stable)
  • Re: MFC ZFS: when?
    ... I'm encountering this bug ... Hopefully it gets mfc before the diff between the real fs and the clone becomes so large that my pool fills up :-) ...
    (freebsd-stable)