# Another root exploit in 2.2, 2.4 and 2.6?

## Gruffi

http://isec.pl/vulnerabilities/isec-0012-mremap.txt

 *Quote:*   

> 
> 
> Since no special privileges are required to use the mremap(2) system call any process may misuse its unexpected behavior to disrupt the kernel memory management subsystem. Proper exploitation of this vulnerability may lead to local privilege escalation including execution of  arbitrary  code with kernel level access. Proof-of-concept exploit code has been created and successfully tested giving UID 0 shell on vulnerable systems.

 

----------

## fleed

Any gentoo kernels protected?

----------

## Kid Hash

I was wondering this too

I compiled my 2.4.23_pre8-gss yesterday - are any gentoo kernels not vulnerable?

----------

## dbergst

 *Kid Hash wrote:*   

> I was wondering this too
> 
> I compiled my 2.4.23_pre8-gss yesterday - are any gentoo kernels not vulnerable?

 

See notes in kernel change log, patches to fix this vulterability are not yet in portage AFAIK.

http://www.tux.org/pub/kernel/v2.4/ChangeLog-2.4.24

Someone should be able to generate comparable patch sets, these would be against several files that reference the rtc.  Here is the current set ot patches for 2.4.24 posted at tux.org:

http://www.tux.org/pub/kernel/v2.4/patch-2.4.24.bz2

Detached GPG signature for 2.4.24 patches:

http://www.tux.org/pub/kernel/v2.4/patch-2.4.4.bz2.sign

----------

## pphisch

i just read this on the gentoo-security mailinglist:

 *Quote:*   

> On Monday 05 January 2004 12:09, Tobias Weisserth wrote:
> 
> > there is a new kernel vulnerability in the mremap system call. This
> 
> > affects all kernels of the 2.2, 2,4 and 2.6 series with the exception of
> ...

 

and in the changelog i found this:

 *Quote:*   

> *gentoo-sources-2.4.22-r1 (02 Dec 2003)
> 
>   02 Dec 2003; Brian Jackson <iggy@gentoo.org>
> 
>   gentoo-sources-2.4.20-r9.ebuild, gentoo-sources-2.4.22-r1.ebuild,
> ...

 

how come, the gentoo developers knew about this vulnerability (or is it a different one?) since december the 1st?

----------

## ecatmur

The do_brk bug was an earlier one, that was used to compromise the Debian servers IIRC.

----------

## puke

Yes, do_brk is soooo last year.  :Laughing: 

----------

## pb

Here's a hotfix from Wojtek Kaniewski for <=2.4.23 kernels

```

# wget http://toxygen.net/hotfixes/mremap.c

# gcc -Wall -O3 -fomit-frame-pointer -I/usr/src/linux/include -c -o

mremap.o mremap.c

# insmod mremap.o

```

----------

## plate

Look at both bug reports (mremap and rtc) for information about fixes to kernel sources in Portage. That's where all the action is until the GLSAs are published...

----------

## meyerm

Sorry for asking a perhaps dumb question. But where can I read the newest GLSA? The forum is not quite up-to-date. Is there be some dedicated website? Or will I have to subsribe to the security ML?

----------

## plate

gentoo-announce is the name of the mailing list. Actually, the Forums are as much up to date on Gentoo Linux Security Announcements as it ever gets. Every time a GLSA gets published it appears on the front page of the Forums, too.

----------

## meyerm

Ah, GLSA are published only when a patch is available and already merges into the portage tree?

----------

## ddanier

updated versions of the kernel availible, but no GLSA yet  :Wink: 

----------

## Endolf

Hi

  They are indeed. But what confuses me is having read the patch and compared my 2.4.22-r2 kernel source it doesn't appear to be in there, but the bug log says thats where they applied it. On the other hand, 2.4.22-r3 does have it, so i'm building that instead  :Smile: 

Endolf

----------

## pb

 *Endolf wrote:*   

> Hi
> 
>   They are indeed. But what confuses me is having read the patch and compared my 2.4.22-r2 kernel source it doesn't appear to be in there, but the bug log says thats where they applied it. On the other hand, 2.4.22-r3 does have it, so i'm building that instead 
> 
> Endolf

 

gentoo-sources-2.4.22-r3 is the same as 2.4.22-r2... i wonder why it has been released and marked as stable...

```

# cd /usr/portage/sys-kernel/gentoo-sources/

# diff gentoo-sources-2.4.22-r2.ebuild gentoo-sources-2.4.22-r3.ebuild

```

----------

## Endolf

Hi

  Mine seem to have some slight difference, i'm not sure what it's supposed to resolve too, but ${PVR} has been replaces with 2.4.22-r2 in the r3 ebuild, i'm *guessing* ${PVR} would resolve to 2.4.22-r3 and the patch files are the r2 ones still. This doesn't explain why my r2 sources don't have the patch though, unless the r2 ebuild has been updated since I got mine (the sync to get r3 would have overwritten the r2 ebuild in this case, so I can't tell)

Endolf

----------

## Endolf

Hmm

  Just checked another box that I emerge sync'd 24 hours ago, and it does indeed look like the r2 ebuild changed as the old one doesn't have the RTC or mremap patches in it, where as the one i sync'd today does, I guess that is why I don't have the patches applied to my r2 kernel that I build yesterday afternoon (GMT)  :Smile: 

Endolf

Edit: A quick copy between boxes and I get this

```
diff gentoo-sources-2.4.22-r2.ebuild gentoo-sources-2.4.22-r2.ebuild.new

1c1

< # Copyright 1999-2003 Gentoo Technologies, Inc.

---

> # Copyright 1999-2004 Gentoo Technologies, Inc.

3c3

< # $Header: /home/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/gentoo-sources-2.4.22-r2.ebuild,v 1.2 2003/12/21 06:45:59 iggy Exp $

---

> # $Header: /home/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/gentoo-sources-2.4.22-r2.ebuild,v 1.3 2004/01/06 15:17:52 plasmaroo Exp $

40a41,43

>       epatch ${FILESDIR}/gentoo-sources-2.4.CAN-2003-0985.patch || die "Failed to apply mremap() fix!"

>       epatch ${FILESDIR}/gentoo-sources-2.4.22-rtc_fix.patch || die "Failed to apply RTC fix!"

>

```

So we now know who to blame for confusing us poor mortals, thats right, plasmaroo is our winner today  :Razz: 

----------

