Date: Mon, 21 Mar 2011 23:20:19 +0100 From: klondike <klondike@...cosoft.es> To: oss-security@...ts.openwall.com Subject: Security advisory: local DOS attack affecting non updated PaX patched kernels. Linux Security Advisory ======================= Discoverer: Francisco Blas Izquierdo Riera (klondike) Kudos: The PaX Team for his help tracking and fixing the issue. Description: Infinite loop when looking for free memory space when doing an mmap after a grows down mmap in PaX patched kernels. CVE-id: A CVE id was requested to MITRE one day before exposing this advisory, we are not Microsoft, and we can't afford waiting one more month on an exploitable issue that has been out there for so long. Latest version: the latest version of this Advisory will be on http://klondike.xiscosoft.es/security/lsa1.txt Abstract -------- We have discovered a locally exploitable DOS vulnerability which can be triggered by programs doing an mmap after a MAP_GROWSDOWN mmap. The problem is triggered by a bad bounds check in arch_get_unmapped_area_topdown that will make the loop to run forever without releasing the VM semaphore eventually hanging up the whole system. Summing it up, this vulnerability somehow is like a Zombie it is slow but it will get you in the end, as said by blueness, since it will just make the VM system unusable and keep locking processes as they try to access it while wasting CPU in the infinite loop. Solved in --------- This has been solved in the latest set of PaX patches. Affected versions ----------------- pax-linux-126.96.36.199-test14.patch pax-linux-2.6.38-test3.patch pax-linux-188.8.131.52-test79.patch And basically any one including the PaX Team new heap/stack gap check code (published on summer). Solution -------- Since the bug has been around for some time this is not actually made by most normal applications (the one triggering it and making us realize of the problem was pin http://www.pintool.org/) so, at most, this bug can be avoided disabling arbitrary code execution to untrusted users (as made by TPE for example). Also a kernel with full preemption will preempt the process and make the rest of the system work with increased load. Care must be taken, though, since killing the process won't make the infinite loop end (as the signal won't ever get to it). PoC --- A PoC will be released on an update to this advisory once enough time has passed for the patches to be installed by the sysadmins, this will be at least one week. Salutations ----------- Salutations and Kudos go specially to the PaX Team for all his work in finding and making this problem and for the PoC. Salutations go too to Rubén González García, Julio Sahuquillo Borrás and Per Stenström as they are responsible of me using pin and detecting this issue. Salutations also go for all the people currently working with me in the Gentoo Hardened project and to all those in the project who made me use Gentoo Hardened. Also to Mr. X from daboweb since he was the initiator of everything :D Salutations also go for whats of the Spaheads team and to the people at Sofistic for encouraging me to be a security researcher. Also salutations to spender from Grsecurity for the excellent piece of software he did. Finally salutations to Juan Vicente Oltra Gutiérrez for teaching me why ethics were so important in hacking. Download attachment "signature.asc" of type "application/pgp-signature" (263 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.