From: Martin Loschwitz <madkiss@madkiss.org>
To: linux-kernel@vger.kernel.org
Subject: Re: mremap() bug IMHO not in 2.2
Date: Tue, 6 Jan 2004 10:22:36 +0100 [thread overview]
Message-ID: <20040106092236.GA1211@minerva.local.lan> (raw)
In-Reply-To: <Pine.LNX.4.58.0401051604550.5970@home.osdl.org>
[-- Attachment #1: Type: text/plain, Size: 1310 bytes --]
On Mon, Jan 05, 2004 at 04:08:36PM -0800, Linus Torvalds wrote:
>
>
> The only page that should matter is likely the one at 0xC0000000, where
> there can be extra complications from the fact that we use 4MB pages for
> the kernel, so when fork/exit tries to walk the page table, it would get
> bogus results.
>
This is right, the proof-of-concept exploit to be found on full-disclosure
exactly uses that memory address.
> Still, I'd expect that to lead to a triple fault (and thus a reboot)
> rather than any elevation of privileges..
>
I agree with Linus. I tested the POC-exploit here on Linux 2.4.22-rc2
and Linux 2.4.23 and everything it does is to simply reboot the box. As
for Linux 2.6.0-test9, I get something like a hangup (the same sound is
played again and again and only reset helps).
I actually am not sure whether this should be called 'local privlige
escalation' or rather 'possibility for Denial of Service attacks'.
> Interesting, in any case. Good catch from whoever found it.
>
> Linus
> -
--
.''`. Martin Loschwitz Debian GNU/Linux developer
: :' : madkiss@madkiss.org madkiss@debian.org
`. `'` http://www.madkiss.org/ people.debian.org/~madkiss/
`- Use Debian GNU/Linux 3.0! See http://www.debian.org/
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2004-01-06 9:22 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-01-05 14:54 mremap bug and 2.4? Robert L. Harris
2004-01-05 15:21 ` Erik Mouw
2004-01-05 15:26 ` Marcelo Tosatti
2004-01-05 15:42 ` Robert L. Harris
2004-01-05 17:10 ` Diego Calleja
2004-01-05 18:23 ` Tomas Szepe
2004-01-05 18:26 ` mremap() bug and 2.2? Petr Baudis
2004-01-05 22:55 ` mremap() bug IMHO not in 2.2 Petr Baudis
2004-01-05 23:36 ` Linus Torvalds
2004-01-05 23:58 ` Valdis.Kletnieks
2004-01-06 0:08 ` Linus Torvalds
2004-01-06 2:14 ` Tomas Szepe
2004-01-06 9:22 ` Martin Loschwitz [this message]
2004-01-06 20:36 ` mremap() bug indeed not in 2.2 (confirmed) Petr Baudis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040106092236.GA1211@minerva.local.lan \
--to=madkiss@madkiss.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox