New kernel vulnerability

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

New kernel vulnerability

Postby devastor » Wed Feb 18, 2004 10:07 am

Another critical kernel vulnerability in mremap(3) system call was announced today..

http://isec.pl/vulnerabilities/isec-001 ... -unmap.txt

Kernel 2.4.25 has been released and fixes this issue.
However grsecurity for 2.4.24 won't patch cleanly to .25 so some changes are required.

Hopefully spender will make a new patch for it soon 8)
devastor
 
Posts: 41
Joined: Fri Oct 11, 2002 5:07 pm

Postby miha » Wed Feb 18, 2004 1:57 pm

2.4.24-grsec is not affected (at least I tried):

Code: Select all
mmap: Cannot allocate memory
created ~5346 VMAs
now mremapping 0x05385000 at 0x05381000
kernel may not be vulnerable


regards,
M.
miha
 
Posts: 28
Joined: Sat Nov 30, 2002 9:09 am

Postby devastor » Wed Feb 18, 2004 2:33 pm

I wouldn't count on that.
2.4.24 with grsec 1.9.13

mmap: Cannot allocate memory
created ~65865 VMAs
now mremapping 0x40521000 at 0x4051D000
zsh: 6170 segmentation fault ./poc

dmesg:

kernel BUG at mmap.c:1424!
invalid operand: 0000
CPU: 0
EIP: 0010:[<c01b0a85>] Not tainted
EFLAGS: 00010287
eax: 4051e000 ebx: 00000001 ecx: c129bf38 edx: c129bf20
esi: c129bfc4 edi: c1306104 ebp: c13060c0 esp: c12abecc
ds: 0018 es: 0018 ss: 0018
Process poc (pid: 6170, stackpage=c12ab000)
Stack: 00000001 c129bfc4 c1306104 00001000 00001000 c01b6210 c10ba300 c01b62a0
c10ba300 c13060c0 c12aa000 00001000 c10ba31c ffff0001 00000002 00000000
c13060c0 c129bf80 c129bec0 c01b637a 40521000 00001000 00001000 00000003
Call Trace: [<c01b6210>] [<c01b62a0>] [<c01b637a>] [<c0192e93>]

Code: 0f 0b 90 05 e1 66 2f c0 8b 7c 24 10 8b 74 24 14 8b 5c 24 18
devastor
 
Posts: 41
Joined: Fri Oct 11, 2002 5:07 pm

:)

Postby mar » Wed Feb 18, 2004 2:43 pm

How long time do grsec usally use to release an update?
I dont like to have my servers standing exposed :roll:
mar
 
Posts: 3
Joined: Wed Feb 18, 2004 2:42 pm

Postby spender » Wed Feb 18, 2004 3:08 pm

I've just put a pre-release 1.9.14 patch up on http://grsecurity.net/~spender/ for testing. It's against 2.4.25. Let me know about any problems. It has the latest PaX code in it also.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby jagdfalke » Wed Feb 18, 2004 3:09 pm

http://linux.bkbits.net:8080/linux-2.4/ ... set@1.1323

that is the fix for the most important vulnerability if I don't err

but I'd like to see patches for new versions asap nevertheless :)

cu
jagdfalke
jagdfalke
 
Posts: 2
Joined: Sat Feb 14, 2004 11:52 am

Postby miha » Wed Feb 18, 2004 3:21 pm

devastor wrote:I wouldn't count on that.
2.4.24 with grsec 1.9.13

mmap: Cannot allocate memory
created ~65865 VMAs
now mremapping 0x40521000 at 0x4051D000
zsh: 6170 segmentation fault ./poc

dmesg:

kernel BUG at mmap.c:1424!
invalid operand: 0000
CPU: 0
EIP: 0010:[<c01b0a85>] Not tainted
EFLAGS: 00010287
eax: 4051e000 ebx: 00000001 ecx: c129bf38 edx: c129bf20
esi: c129bfc4 edi: c1306104 ebp: c13060c0 esp: c12abecc
ds: 0018 es: 0018 ss: 0018
Process poc (pid: 6170, stackpage=c12ab000)
Stack: 00000001 c129bfc4 c1306104 00001000 00001000 c01b6210 c10ba300 c01b62a0
c10ba300 c13060c0 c12aa000 00001000 c10ba31c ffff0001 00000002 00000000
c13060c0 c129bf80 c129bec0 c01b637a 40521000 00001000 00001000 00000003
Call Trace: [<c01b6210>] [<c01b62a0>] [<c01b637a>] [<c0192e93>]

Code: 0f 0b 90 05 e1 66 2f c0 8b 7c 24 10 8b 74 24 14 8b 5c 24 18


ok, here's another one:

Code: Select all
miha@devil [~]# ./p2
mmap: Cannot allocate memory
created ~16558 VMAs
now mremapping 0x102B5000 at 0x102B1000
kernel may not be vulnerable
miha@devil [~]# uname -a
Linux devil 2.4.24-grsec #1 SMP Fri Jan 9 10:57:24 EST 2004 i686 unknown


and dmesg:

Code: Select all
grsec: From xxx.xxx.xxx.xxx: attempted resource overstep by requesting 204804096 for RLIMIT_AS against limit 204800000 by (p2:26341) UID(32008) EUID(32008), parent (bash:15448) UID(32008) EUID(32008)


tested on 5 machines, and so far all of them showed the same result (as above)..
miha
 
Posts: 28
Joined: Sat Nov 30, 2002 9:09 am

Postby exci » Wed Feb 18, 2004 3:38 pm

For those with the "kernel may not be vulnerable", what option/acl is it that stopped it?

It 'crashed' me (2.4.24-grsec-1.9.13), I can't use things like top/ps/w etc. but I can still compile my new kernel on it and use the services that I have running.
It isn't that 'critical' to me :P (edit: oe, just read that you could get root access out of it, so critical++ ;) )

Code: Select all
make[1]: Entering directory `/usr/src/linux-2.4.25/kernel'
make all_targets
make[2]: Entering directory `/usr/src/linux-2.4.25/kernel'
gcc -D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=athlon   -nostdinc -iwithprefix include -DKBUILD_BASENAME=sched  -fno-omit-frame-pointer -c -o sched.o sched.c
In file included from /usr/src/linux-2.4.25/include/asm/mmu_context.h:5,
                 from sched.c:36:
/usr/src/linux-2.4.25/include/asm/desc.h: In function `load_LDT':
/usr/src/linux-2.4.25/include/asm/desc.h:92: warning: assignment discards qualifiers from pointer target type
/usr/src/linux-2.4.25/include/asm/desc.h: In function `_load_LDT':
/usr/src/linux-2.4.25/include/asm/desc.h:103: error: structure has no member named `segments'
make[2]: *** [sched.o] Error 1
make[2]: Leaving directory `/usr/src/linux-2.4.25/kernel'
make[1]: *** [first_rule] Error 2
make[1]: Leaving directory `/usr/src/linux-2.4.25/kernel'
make: *** [_dir_kernel] Error 2


the kernel can't compile with the new grsec patch
Last edited by exci on Wed Feb 18, 2004 4:06 pm, edited 2 times in total.
exci
 
Posts: 1
Joined: Wed Feb 18, 2004 3:33 pm

Postby drixter » Wed Feb 18, 2004 3:42 pm

spender wrote:I've just put a pre-release 1.9.14 patch up on http://grsecurity.net/~spender/ for testing. It's against 2.4.25. Let me know about any problems. It has the latest PaX code in it also.

-Brad


Problem with compile, blank kernel compile good, with this grsec patch doesn't

Code: Select all
[root@fido linux]# make bzImage
scripts/split-include include/linux/autoconf.h include/config
gcc -D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=athlon   -DKBUILD_BASENAME=main -c -o init/main.o init/main.c
. scripts/mkversion > .tmpversion
gcc -D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=athlon  -DUTS_MACHINE='"i386"' -DKBUILD_BASENAME=version -c -o init/version.o init/version.c
gcc -D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=athlon   -DKBUILD_BASENAME=do_mounts -c -o init/do_mounts.o init/do_mounts.c
make CFLAGS="-D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=athlon " -C  kernel
make[1]: Entering directory `/usr/src/linux-2.4.25/kernel'
make all_targets
make[2]: Entering directory `/usr/src/linux-2.4.25/kernel'
gcc -D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=athlon   -nostdinc -iwithprefix include -DKBUILD_BASENAME=sched  -fno-omit-frame-pointer -c -o sched.o sched.c
In file included from /usr/src/linux-2.4.25/include/asm/mmu_context.h:5,
                 from sched.c:36:
/usr/src/linux-2.4.25/include/asm/desc.h: In function `load_LDT':
/usr/src/linux-2.4.25/include/asm/desc.h:92: warning: assignment discards qualifiers from pointer target type
/usr/src/linux-2.4.25/include/asm/desc.h: In function `_load_LDT':
/usr/src/linux-2.4.25/include/asm/desc.h:103: error: structure has no member named `segments'
make[2]: *** [sched.o] Błąd 1
make[2]: Leaving directory `/usr/src/linux-2.4.25/kernel'
make[1]: *** [first_rule] Błąd 2
make[1]: Leaving directory `/usr/src/linux-2.4.25/kernel'
make: *** [_dir_kernel] Błąd 2


Code: Select all
[root@fido root]# ./ver_linux
If some fields are empty or look unusual you may have an old version.
Compare to the current minimal requirements in Documentation/Changes.

Linux fido.e-utp.net 2.4.24-grsec #4 sob lut 7 11:17:50 CET 2004 i686 AMD Duron(tm) Processor

Gnu C                  3.3.2
Gnu make               3.80
util-linux             2.11x
mount                  2.11x
modutils               2.4.22
e2fsprogs              1.32
jfsutils               1.0.24
Linux C Library        2.3.1
Dynamic linker (ldd)   2.3.1
Procps                 3.1.14
Net-tools              1.60
Console-tools          0.2.3
Sh-utils               5.1.2
Modules Loaded         nvidia cls_fw cls_u32 sch_sfq sch_htb ipt_LOG ipt_unclean ipt_MARK ipt_multiport ipt_state ipt_REJECT iptable_mangle iptable_nat ip_conntrack iptable_filter ip_tables 8139too mii crc32 nls_iso8859-2
Last edited by drixter on Wed Feb 18, 2004 3:45 pm, edited 1 time in total.
drixter
 
Posts: 1
Joined: Wed Feb 18, 2004 3:35 pm

Postby devastor » Wed Feb 18, 2004 3:42 pm

That's strange. Limitting users's virtual memory shouldn't help in this case..

testing with this PoC?

http://www.derkeiler.com/Mailing-Lists/ ... /0052.html
devastor
 
Posts: 41
Joined: Fri Oct 11, 2002 5:07 pm

Postby miha » Wed Feb 18, 2004 4:06 pm

yes, using http://www.derkeiler.com/Mailing-Lists/ ... /0052.html
It does not work on both with enabled and disabled ACLs..
Using custom grsecurity config in kernel.

regards,
M.
miha
 
Posts: 28
Joined: Sat Nov 30, 2002 9:09 am

2.4.25 patch error

Postby underattack » Wed Feb 18, 2004 4:35 pm

on 'make bzImage', I get the following error:

cc -D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=i686 -nostdinc -iwithprefix include -DKBUILD_BASENAME=sched -fno-omit-frame-pointer -c -o sched.o sched.c
In file included from /usr/src/linux-2.4.25/include/asm/mmu_context.h:5,
from sched.c:36:
/usr/src/linux-2.4.25/include/asm/desc.h: In function `load_LDT':
/usr/src/linux-2.4.25/include/asm/desc.h:92: warning: assignment discards qualifiers from pointer target type
/usr/src/linux-2.4.25/include/asm/desc.h: In function `_load_LDT':
/usr/src/linux-2.4.25/include/asm/desc.h:103: structure has no member named `segments'
underattack
 
Posts: 4
Joined: Wed Feb 18, 2004 4:08 pm

Postby devastor » Wed Feb 18, 2004 4:51 pm

Odd, so far it has caused a DoS or an oops on all systems i've tested it on..
maybe some memory limit stops that specific exploit from working..
but it really doesn't mean you wouldn't be vulnerable.. as the exploit also says :)
devastor
 
Posts: 41
Joined: Fri Oct 11, 2002 5:07 pm

Postby mar » Wed Feb 18, 2004 5:00 pm

Code: Select all
gcc -D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=i686   -nostdinc -iwithprefix include -DKBUILD_BASENAME=sched  -fno-omit-frame-pointer -c -o sched.o sched.c
In file included from /usr/src/linux-2.4.25/include/asm/mmu_context.h:5,
                 from sched.c:36:
/usr/src/linux-2.4.25/include/asm/desc.h: In function `load_LDT':
/usr/src/linux-2.4.25/include/asm/desc.h:92: warning: assignment discards qualifiers from pointer target type
/usr/src/linux-2.4.25/include/asm/desc.h: In function `_load_LDT':
/usr/src/linux-2.4.25/include/asm/desc.h:103: structure has no member named `segments'
make[2]: *** [sched.o] Error 1
make[2]: Leaving directory `/usr/src/linux-2.4.25/kernel'
make[1]: *** [first_rule] Error 2
make[1]: Leaving directory `/usr/src/linux-2.4.25/kernel'
make: *** [_dir_kernel] Error 2


This error do I get when trying to compile 2.4.25 with pre-release of grsec 1.9.14.
mar
 
Posts: 3
Joined: Wed Feb 18, 2004 2:42 pm

Postby devastor » Wed Feb 18, 2004 5:29 pm

This patch should fix that:

http://silen.fi/usr/grsec.patch
devastor
 
Posts: 41
Joined: Fri Oct 11, 2002 5:07 pm

Next

Return to grsecurity support