Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 21 Mar 2011 23:20:19 +0100
From: klondike <>
Subject: Security advisory: local DOS attack affecting non updated PaX patched

Linux Security Advisory

Discoverer: Francisco Blas Izquierdo Riera (klondike)
Kudos: The PaX Team for his help tracking and fixing the issue.
Description: Infinite loop when looking for free memory space when doing an
             mmap after a grows down mmap in PaX patched kernels.
CVE-id: A CVE id was requested to MITRE one day before exposing this
        we are not Microsoft, and we can't afford waiting one more month
on an
        exploitable issue that has been out there for so long.
Latest version: the latest version of this Advisory will be on

We have discovered a locally exploitable DOS vulnerability which can be
triggered by programs doing an mmap after a MAP_GROWSDOWN mmap.

The problem is triggered by a bad bounds check in
that will make the loop to run forever without releasing the VM semaphore
eventually hanging up the whole system.

Summing it up, this vulnerability somehow is like a Zombie it is slow but it
will get you in the end, as said by blueness, since it will just make the VM
system unusable and keep locking processes as they try to access it while
wasting CPU in the infinite loop.

Solved in
This has been solved in the latest set of PaX patches.

Affected versions

And basically any one including the PaX Team new heap/stack gap check code
(published on summer).

Since the bug has been around for some time this is not actually made by
normal applications (the one triggering it and making us realize of the
was pin so, at most, this bug can be avoided
arbitrary code execution to untrusted users (as made by TPE for example).

Also a kernel with full preemption will preempt the process and make the
rest of
the system work with increased load. Care must be taken, though, since
the process won't make the infinite loop end (as the signal won't ever
get to

A PoC will be released on an update to this advisory once enough time
has passed
for the patches to be installed by the sysadmins, this will be at least one

Salutations and Kudos go specially to the PaX Team for all his work in
and making this problem and for the PoC.

Salutations go too to Rubén González García, Julio Sahuquillo Borrás and Per
Stenström as they are responsible of me using pin and detecting this issue.

Salutations also go for all the people currently working with me in the
Hardened project and to all those in the project who made me use Gentoo
Hardened. Also to Mr. X from daboweb since he was the initiator of
everything :D

Salutations also go for whats of the Spaheads team and to the people at
for encouraging me to be a security researcher.

Also salutations to spender from Grsecurity for the excellent piece of
he did.

Finally salutations to Juan Vicente Oltra Gutiérrez for teaching me why
were so important in hacking.

Download attachment "signature.asc" of type "application/pgp-signature" (263 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.