Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 21 Mar 2011 23:20:19 +0100
From: klondike <klondike@...cosoft.es>
To: oss-security@...ts.openwall.com
Subject: Security advisory: local DOS attack affecting non updated PaX patched
 kernels.

Linux Security Advisory
=======================

Discoverer: Francisco Blas Izquierdo Riera (klondike)
Kudos: The PaX Team for his help tracking and fixing the issue.
Description: Infinite loop when looking for free memory space when doing an
             mmap after a grows down mmap in PaX patched kernels.
CVE-id: A CVE id was requested to MITRE one day before exposing this
advisory,
        we are not Microsoft, and we can't afford waiting one more month
on an
        exploitable issue that has been out there for so long.
Latest version: the latest version of this Advisory will be on
                http://klondike.xiscosoft.es/security/lsa1.txt

Abstract
--------
We have discovered a locally exploitable DOS vulnerability which can be
triggered by programs doing an mmap after a MAP_GROWSDOWN mmap.

The problem is triggered by a bad bounds check in
arch_get_unmapped_area_topdown
that will make the loop to run forever without releasing the VM semaphore
eventually hanging up the whole system.

Summing it up, this vulnerability somehow is like a Zombie it is slow but it
will get you in the end, as said by blueness, since it will just make the VM
system unusable and keep locking processes as they try to access it while
wasting CPU in the infinite loop.

Solved in
---------
This has been solved in the latest set of PaX patches.

Affected versions
-----------------
pax-linux-2.6.37.4-test14.patch
pax-linux-2.6.38-test3.patch
pax-linux-2.6.32.33-test79.patch

And basically any one including the PaX Team new heap/stack gap check code
(published on summer).

Solution
--------
Since the bug has been around for some time this is not actually made by
most
normal applications (the one triggering it and making us realize of the
problem
was pin http://www.pintool.org/) so, at most, this bug can be avoided
disabling
arbitrary code execution to untrusted users (as made by TPE for example).

Also a kernel with full preemption will preempt the process and make the
rest of
the system work with increased load. Care must be taken, though, since
killing
the process won't make the infinite loop end (as the signal won't ever
get to
it).

PoC
---
A PoC will be released on an update to this advisory once enough time
has passed
for the patches to be installed by the sysadmins, this will be at least one
week.

Salutations
-----------
Salutations and Kudos go specially to the PaX Team for all his work in
finding
and making this problem and for the PoC.

Salutations go too to Rubén González García, Julio Sahuquillo Borrás and Per
Stenström as they are responsible of me using pin and detecting this issue.

Salutations also go for all the people currently working with me in the
Gentoo
Hardened project and to all those in the project who made me use Gentoo
Hardened. Also to Mr. X from daboweb since he was the initiator of
everything :D

Salutations also go for whats of the Spaheads team and to the people at
Sofistic
for encouraging me to be a security researcher.

Also salutations to spender from Grsecurity for the excellent piece of
software
he did.

Finally salutations to Juan Vicente Oltra Gutiérrez for teaching me why
ethics
were so important in hacking.


Download attachment "signature.asc" of type "application/pgp-signature" (263 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.