mremap() bug and 2.2?

[Petr Baudis]

Dear diary, on Mon, Jan 05, 2004 at 06:10:53PM CET, I got a letter,
where Diego Calleja <grundig@xxxxxxxxxxx> told me, that...
> El Mon, 5 Jan 2004 13:26:23 -0200 (BRST) Marcelo Tosatti <marcelo.tosatti@xxxxxxxxxxxx> escribió:
> 
> > On Mon, 5 Jan 2004, Robert L. Harris wrote:
> > > Just read this on full disclosure:
> > >
> > > http://isec.pl/vulnerabilities/isec-0013-mremap.txt
> [...]
> > It is possible that the problem is exploitable. There is no known public
> > exploit yet, however.
> > 
> > 2.4.24 includes a fix for this (mm/mremap.c diff)
> 
> It names 2.2 too. Is there a fix for 2.2?

I'm trying to investigate that right now. In 2.2, mremap() doesn't yet
take yet the new_addr argument, therefore the "official" 2.4 fix
wouldn't apply at all to it. There are four possibilities:

* The isec.pl guys just made a mistake.

* 2.2's get_unmapped_area() can return dangerous pages for len == 0,
whilst the 2.4's get_unmapped_area() cannot. (I'm not sure, looking into
that code right now.)

* 2.4's fix is incorrect.

* I'm missing something obvious.

Anyone has an idea?

-- 
 
				Petr "Pasky" Baudis
.
The brain is a wonderful organ; it starts working the moment you get up
in the morning, and does not stop until you get to work.
.
Stuff: http://pasky.or.cz/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/