1 |
On Sun, 2008-02-10 at 23:41 +0200, pageexec@××××××××.hu wrote: |
2 |
> On 10 Feb 2008 at 22:32, Alex Howells wrote: |
3 |
> |
4 |
> > I wasn't sure we needed a special patch? |
5 |
> |
6 |
> it's a kernel bug so it obviously needs a patch, a fix is in the linus |
7 |
> tree now, i guess it'll be backported quickly. |
8 |
> |
9 |
> > Every single box I've tried this exploit on ranging from |
10 |
> > hardened-sources-2.6.17 through to hardened-sources-2.6.23, its been |
11 |
> > nailed. Could just be my kernel configuration? |
12 |
> |
13 |
> UDEREF prevents exploitation for good, even KERNEXEC alone would |
14 |
> prevent the kind of code execution that this exploit relies on. |
15 |
|
16 |
|
17 |
FYI everybody... Look at that.. A properly configured host using PaX the |
18 |
way the PaX Team suggests prevents this and may other types of bugs. |
19 |
|
20 |
Anyway for those of you not using PaX the way it's suggested to use |
21 |
(which also happens to be Hardened defaults) then you could/should |
22 |
consider this patch if you have local users which are not trusted. |
23 |
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44 |
24 |
After patching a user tried >10000 iterations of both exploits and |
25 |
everything appeared to be fine. |
26 |
|
27 |
For those of you looking for a quick work around for your production |
28 |
servers and don't/can't reboot just quite yet.. Md of freenode offers |
29 |
this runtime kernel module. |
30 |
|
31 |
11:32 < Md> reminder: please do not hurry to reboot your linux servers, |
32 |
http://www.linux.it/~md/software/novmsplice.tgz is a kernel module |
33 |
which disables the system calls used by the exploit |
34 |
|
35 |
The current exploit while not appearing to work can result in a DoS |
36 |
The feature uderef catches it... but yesterday a user while in testing |
37 |
executed the exploit many many times. At 943rd execution the system |
38 |
froze. |
39 |
|
40 |
We are told that while unfortunately when the bug is triggered, the |
41 |
kernel holds locks and due to uderef catching it, and the kernel will |
42 |
also kill the task. It would do so regardless of uderef if the ptr it |
43 |
dereferences isn't mapped memory. |
44 |
|
45 |
|
46 |
---------------- |
47 |
|
48 |
More FYI.. |
49 |
Hardened is nearly dead in respects to the |
50 |
hardened-profile/hardened-toolchain/hardened-kernel. |
51 |
It does not have to die but we are in a bit of a catch-22. |
52 |
I'm the last dev really watching over those things. Everybody else has |
53 |
retired and moved on in life. I'm starting to do the same. Weekend and |
54 |
evening hobbies of other interest are starting to take priority. So the |
55 |
catch-22 is that hardened needs more devs+proxies and or to be |
56 |
re-evaluated.. The kicker is that I don't really have the spare time to |
57 |
mentor new people. So... Any of you that want to help this project |
58 |
continue. Please stop by #gentoo-hardened on freenode and offer whatever |
59 |
help you can that fit within your skill traits (self motivated ppl++). |
60 |
|
61 |
|
62 |
-- |
63 |
Ned Ludd <solar@g.o> |
64 |
|
65 |
-- |
66 |
gentoo-hardened@l.g.o mailing list |