NI3
01-06-2004, 05:41 PM
Program: Linux kernel 2.2, 2.4 and 2.6
Danger: Average
Presence of eksploita: Yes
Description: Vulnerability is discovered in Linux nucleus. Local user can obtain root privileges on the vulnerable system.
The overcrowding of buffer is discovered in the system call mremap. As a result local user can force the code of nucleus to create the page of the memory of zero size, which will lead to the damage to memory of nucleus.
As it communicates, there is a working code, which makes possible for the unprivileged user to obtain the privileges of nucleus (UID 0) on the vulnerable system.
URL the producer:[Only registered and activated users can see links]
Solution:You will establish the renovated version of nucleus (2.ya.2ya-.rchy) or will establish the following correction:
diff -.Naur of -.Kh of /.yuome/marchelo/lib/dontdiff
linux-2.4.23/mm/mremap.c linux-2.4.24-rc1/mm/mremap.c ---
linux-2.4.23/mm/mremap.c of 2003-08-25 11:44:44.000000000 +0000 +++
linux-2.4.24-rc1/mm/mremap.c 2004-01-04 20:52:19.000000000 +0000 @@
-241,6 +241,13 @@ if (new_.len > TASK_.SIZE || new_.addr > TASK_.SIZE
- new_.len) goto out; +/* + * Allow new_.len == 0 only if
new_.addr == addr + * to preserve truncation in place (that was
working + * safe and some app May depend on it). + */+ if
(unlikely(!.new_.len && new_.addr! = addr)) + goto out; /
* Check if the location we're moving into overlaps the * old location
at all, and fail if it does.
Danger: Average
Presence of eksploita: Yes
Description: Vulnerability is discovered in Linux nucleus. Local user can obtain root privileges on the vulnerable system.
The overcrowding of buffer is discovered in the system call mremap. As a result local user can force the code of nucleus to create the page of the memory of zero size, which will lead to the damage to memory of nucleus.
As it communicates, there is a working code, which makes possible for the unprivileged user to obtain the privileges of nucleus (UID 0) on the vulnerable system.
URL the producer:[Only registered and activated users can see links]
Solution:You will establish the renovated version of nucleus (2.ya.2ya-.rchy) or will establish the following correction:
diff -.Naur of -.Kh of /.yuome/marchelo/lib/dontdiff
linux-2.4.23/mm/mremap.c linux-2.4.24-rc1/mm/mremap.c ---
linux-2.4.23/mm/mremap.c of 2003-08-25 11:44:44.000000000 +0000 +++
linux-2.4.24-rc1/mm/mremap.c 2004-01-04 20:52:19.000000000 +0000 @@
-241,6 +241,13 @@ if (new_.len > TASK_.SIZE || new_.addr > TASK_.SIZE
- new_.len) goto out; +/* + * Allow new_.len == 0 only if
new_.addr == addr + * to preserve truncation in place (that was
working + * safe and some app May depend on it). + */+ if
(unlikely(!.new_.len && new_.addr! = addr)) + goto out; /
* Check if the location we're moving into overlaps the * old location
at all, and fail if it does.