| 1 |
On Sun, 2008-02-10 at 23:41 +0200, pageexec@××××××××.hu wrote: |
| 2 |
> On 10 Feb 2008 at 22:32, Alex Howells wrote: |
| 3 |
> |
| 4 |
> > I wasn't sure we needed a special patch? |
| 5 |
> |
| 6 |
> it's a kernel bug so it obviously needs a patch, a fix is in the linus |
| 7 |
> tree now, i guess it'll be backported quickly. |
| 8 |
> |
| 9 |
> > Every single box I've tried this exploit on ranging from |
| 10 |
> > hardened-sources-2.6.17 through to hardened-sources-2.6.23, its been |
| 11 |
> > nailed. Could just be my kernel configuration? |
| 12 |
> |
| 13 |
> UDEREF prevents exploitation for good, even KERNEXEC alone would |
| 14 |
> prevent the kind of code execution that this exploit relies on. |
| 15 |
|
| 16 |
|
| 17 |
FYI everybody... Look at that.. A properly configured host using PaX the |
| 18 |
way the PaX Team suggests prevents this and may other types of bugs. |
| 19 |
|
| 20 |
Anyway for those of you not using PaX the way it's suggested to use |
| 21 |
(which also happens to be Hardened defaults) then you could/should |
| 22 |
consider this patch if you have local users which are not trusted. |
| 23 |
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44 |
| 24 |
After patching a user tried >10000 iterations of both exploits and |
| 25 |
everything appeared to be fine. |
| 26 |
|
| 27 |
For those of you looking for a quick work around for your production |
| 28 |
servers and don't/can't reboot just quite yet.. Md of freenode offers |
| 29 |
this runtime kernel module. |
| 30 |
|
| 31 |
11:32 < Md> reminder: please do not hurry to reboot your linux servers, |
| 32 |
http://www.linux.it/~md/software/novmsplice.tgz is a kernel module |
| 33 |
which disables the system calls used by the exploit |
| 34 |
|
| 35 |
The current exploit while not appearing to work can result in a DoS |
| 36 |
The feature uderef catches it... but yesterday a user while in testing |
| 37 |
executed the exploit many many times. At 943rd execution the system |
| 38 |
froze. |
| 39 |
|
| 40 |
We are told that while unfortunately when the bug is triggered, the |
| 41 |
kernel holds locks and due to uderef catching it, and the kernel will |
| 42 |
also kill the task. It would do so regardless of uderef if the ptr it |
| 43 |
dereferences isn't mapped memory. |
| 44 |
|
| 45 |
|
| 46 |
---------------- |
| 47 |
|
| 48 |
More FYI.. |
| 49 |
Hardened is nearly dead in respects to the |
| 50 |
hardened-profile/hardened-toolchain/hardened-kernel. |
| 51 |
It does not have to die but we are in a bit of a catch-22. |
| 52 |
I'm the last dev really watching over those things. Everybody else has |
| 53 |
retired and moved on in life. I'm starting to do the same. Weekend and |
| 54 |
evening hobbies of other interest are starting to take priority. So the |
| 55 |
catch-22 is that hardened needs more devs+proxies and or to be |
| 56 |
re-evaluated.. The kicker is that I don't really have the spare time to |
| 57 |
mentor new people. So... Any of you that want to help this project |
| 58 |
continue. Please stop by #gentoo-hardened on freenode and offer whatever |
| 59 |
help you can that fit within your skill traits (self motivated ppl++). |
| 60 |
|
| 61 |
|
| 62 |
-- |
| 63 |
Ned Ludd <solar@g.o> |
| 64 |
|
| 65 |
-- |
| 66 |
gentoo-hardened@l.g.o mailing list |
Archives