# Kernel bug: userland can fully access Linux kernel memory

## Gruffi

At debian.org i saw this page:

[SECURITY] [DSA-403-1] userland can access Linux kernel memory

http://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00212.html

It looks like all kernels bellow 2.4.23 are vulnerable.

Does the gentoo-sources ebuild have an apropriate patch for this?

----------

## Daath

I wonder if the patch (which seems to have been known since september) is already in gentoo-sources 2.4.20-r?...

----------

## nbensa

any dev want to say something please?

----------

## MacMasta

Security folk? Anybody? Does my gentoo-sources need a patch?

(I realize this is mostly a bump post)

~Mac~

----------

## boroshan

vanilla-sources is at 2.4.23 - you can run on vanilla safely until someone confirms the patch status of gentoo-sources etc

----------

## nbensa

vanilla doesn't include XFS. Anyway, 2.4.23pre6aa3 includes the fix for this exploit and that's what I'm using.

----------

## wiregauze

 *Daath wrote:*   

> I wonder if the patch (which seems to have been known since september) is already in gentoo-sources 2.4.20-r?...

 I think not. According to the link provided above, the exploit is with do_brk().

The following is the do_brk() sys call part of 'diff -c' output in /mm/mmap.c:

```

*** 1041,1055 ****

        if (!len)

                return addr;

-       if ((addr + len) > TASK_SIZE || (addr + len) < addr)

-               return -EINVAL;

-

        /*

         * mlock MCL_FUTURE?

         */

        if (mm->def_flags & VM_LOCKED) {

                unsigned long locked = mm->locked_vm << PAGE_SHIFT;

                locked += len;

                if (locked > current->rlim[RLIMIT_MEMLOCK].rlim_cur)

                        return -EAGAIN;

        }

```

Haven't tested it yet, but I think just "hand-patching" should work.

-- wiregauze

----------

## togge

does anyone know if there is an exploit code in the wild for this ?   :Shocked: 

anyone tested this with grsec? *crossing fingers*

----------

## Gruffi

The "new" gentoo-sources-r8 fix the problem

you have to unmerge gentoo-sources and re-emerge them.

id did:

```
mv /usr/src/linux/.config /usr/src

emerge --unmerge gentoo-sources

rm -r /usr/src/linux-2.4.20-gentoo-r8

rm /usr/src/linux

emerge gentoo-sources

mv /usr/src/.config /usr/src/linux/

cd /usr/src/linux

make dep && make clean && make bzImage

mount /boot

mv /usr/src/linux/arc/i368/boot/bzImage /boot

umount /boot 
```

and got:

```
 * Applying do_brk_fix.patch... [ ok ]
```

----------

## andrew_j_w

 *togge wrote:*   

> does anyone know if there is an exploit code in the wild for this ?  
> 
> 

 

This was the exploit used to hack the Debian boxes - so yes there is an exploit in the wild...

----------

## badgers

what about the 2.6 kernels?

specifically 2.6 test 9?

----------

## Gruffi

 *badgers wrote:*   

> what about the 2.6 kernels?
> 
> specifically 2.6 test 9?

 

The link i posted states: "This bug has been fixed in kernel version 2.4.23 for the 2.4 tree and2.6.0-test6 kernel tree."

----------

## TobiWan

 *Baron FrostFire wrote:*   

> The "new" gentoo-sources-r8 fix the problem
> 
> you have to unmerge gentoo-sources and re-emerge them.
> 
> ...

 

Hi there,

I have the sys-kernel/gentoo-sources-2.4.22 installed. Are they fixed too? Probably not, I guess.

Isn't there some kind of bulletin board on the Gentoo website informing about important stuff like this?! Any hint from the Gentoo folks? How do I get information about security related stuff affecting Gentoo?

I guess I'm probably not endangered anyway by this bug but I'd like to hear that from more than just my own mind, that loves to do other things than patching and recompiling kernels all day  :Wink: 

My machine is not connected to the Internet directly but uses another LInux gateway which is running an older kernel with ipchains, a Smoothwall GPL box.

I don't have any services running which are routed by the Smoothwall.

I can totally trust local users from userland since they are all family.

I shouldn't be bothered by the do_brk() bug, right?

Eventually, I'd like to see this fixed in gentoo-sources though  :Wink: 

cheers,

Tobias

----------

## Dr_Stein

www jnichols # emerge -up --deep world

These are the packages that I would merge, in order:

Calculating world dependencies ...done!

[ebuild  N    ] sys-kernel/gentoo-sources-2.4.20-r9

www jnichols #

----------

## sawanv

Hmmm..this might sound strange but I did all the steps listed by Baron FrostFire above but I still dont get the line :

```
* Applying do_brk_fix.patch... [ ok ]
```

Any ideas anyone? I am assuming I dont have the correctly patched code as I cant see the above line...

Thanks

Sawan

----------

## Gruffi

 *sawanv wrote:*   

> Any ideas anyone? I am assuming I dont have the correctly patched code as I cant see the above line...

 

You should get something like this:

http://www.bart.vk.easynet.be/emergegentoosources.txt

Search for the string "Applying do_brk_fix.patch..."

----------

## bverheg

I emerged gentoo-sources-2.4.20-r9

Got the message  "Applying do_brk_fix.patch..."

But inspecting the sources, I found that the patch had not been applied!

The offsets in the distributed patch are not correct.

So for now, you'd better apply it by hand, or use my diffs:

```
--- mmap.c.orig   2003-12-03 08:54:19.000000000 +0100

+++ mmap.c   2003-12-03 08:54:19.000000000 +0100

@@ -1248,6 +1248,9 @@

    if (!len)

       return addr;

 

+    if ((addr + len) > TASK_SIZE || (addr + len) < addr)

+       return -EINVAL;

+ 

    /*

     * mlock MCL_FUTURE?

     */

```

I filed a bug report about this.https://bugs.gentoo.org/show_bug.cgi?id=34958

----------

## Koon

 *TobiWan wrote:*   

> Any hint from the Gentoo folks?

 

Follow the bug : https://bugs.gentoo.org/show_bug.cgi?id=34844

 *Quote:*   

> How do I get information about security related stuff affecting Gentoo?

 

There is a gentoo-security mailing list which has that purpose.

 *Quote:*   

> My machine is not connected to the Internet directly but uses another LInux gateway which is running an older kernel with ipchains, a Smoothwall GPL box.
> 
> I don't have any services running which are routed by the Smoothwall.
> 
> I can totally trust local users from userland since they are all family.
> ...

 

Privilege escalation vulns can be exploited (1) by local users and (2) together with another vuln in an exposed service that gives user-level access. So in your case, you can wait  :Wink: 

-K

----------

## TobiWan

Thanks Koon,

I'll start subscribing the mailing list right now   :Very Happy: 

cheers,

Tobias

----------

## Thulle

 *andrew_j_w wrote:*   

>  *togge wrote:*   does anyone know if there is an exploit code in the wild for this ?  
> 
>  
> 
> This was the exploit used to hack the Debian boxes - so yes there is an exploit in the wild...

 

That exploit wasn't released publlc afaik, though a polish securitysite made a proof-of-concept that somehow leaked, saw it some hours later.. and some hours after that there was some fast&evil stuff out there .. so indeed its a threat

----------

## puke

gentoo-sources 2.4.22-r1 appears to have this fix in mmap.c.

----------

