Re: 2.1.96 EXPLOIT was [rootshell] Security Bulletin #18 (fwd)

Frank Sweetser (rasmusin@WPI.EDU)
Fri, 17 Apr 1998 22:47:07 -0400


confirmed.. locked up hard - scrolling up worked, switching vt's dead,
alt-sysrq did nothing. here's the oops (copied by hand, should be Bug
Free(TM))

Unable to handle kernel paging request at virtual address 000a001d
*pde = 00000000
Oops: 0000
CPU: 0
EIP: 0010:[<c01207a2>]
EFLAGS: 00010082
eax: c0a3584c ebx: c009e1a0 ecx: 000a0015 edx: c0d3f06c
esi: 0018 es:0018 ss:0018
Process swapper (pid: 0, process nr: 0, stackpage=c0107000)
Stack: c0d3f040 2008d108 c0d3f09c c0d3f040 2008d108 c0a3584c c0d3f040 c0149e83
c0a35740 c0d3f040 c0149f4c c0d3f040 c01a00e0 c0a3578c c0165b48 c0d3f040
c01aff34 00000000 c0a35750 c0107f04 2008d782 78f0d782 c0a2c650 c015618c
Call Trace: [<c0149e83>] [<c0149f4c>] [<c01a00e0>] [<c0165b48>]
[<c0107f04>] [<c01561ec>] [<c0107f20>]
[<c015640c>] [<c0100008>] [<c014d714>] [<c0107f5c>] [<c01184b9>]
[<c0106000>] [<c0108c26>] [<c0109b7c>]
[<c0106000>] [<c0106000>] [<c010828f>] [<c01082f3>] [<c0106000>]
[<c0107fe4>] [<c0109abc>] [<c01080a0>]
[<c0107fe4>] [<c0106000>] [<c0108087>] [<c010025b>]
Code: 8b 69 08 81 fd 2b 2f c3 a5 0f 85 ef 00 00 00 8b 69 0c 85 ed
Aiee, killing interrupt handler
Kernel panic: attempted to kill the idle task!
In swapper task - not syncing

Using `./System.map' to map addresses to symbols.

>>EIP: c01207a2 <kfree+72/1e0>
Trace: c0149e83 <kfree_skbmem+23/50>
Trace: c0149f4c <__kfree_skb+9c/b0>
Trace: c01a00e0 <head_vals.630+7bb/1017>
Trace: c0165b48 <udp_rcv+78/270>
Trace: c0107f04 <this_must_match_init_task+1f04/2000>
Trace: c01561ec <ip_local_deliver+23c/2a0>
Trace: c0107f20 <this_must_match_init_task+1f20/2000>
Trace: c015640c <ip_rcv+1bc/200>
Trace: c0100008 <startup_32+8/f9>
Trace: c014d714 <net_bh+154/1d0>
Trace: c0107f5c <this_must_match_init_task+1f5c/2000>
Trace: c01184b9 <do_bottom_half+49/70>
Trace: c0107f5c <this_must_match_init_task+1f5c/2000>
Trace: c0108c26 <sys_rt_sigsuspend+96/130>
Trace: c0109b7c <ret_from_intr>
Trace: c0107f5c <this_must_match_init_task+1f5c/2000>
Trace: c0107f5c <this_must_match_init_task+1f5c/2000>
Trace: c010828f <hard_idle+1f/40>
Trace: c01082f3 <sys_idle+43/c0>
Trace: c0107f5c <this_must_match_init_task+1f5c/2000>
Trace: c0107fe4 <this_must_match_init_task+1fe4/2000>
Trace: c0109abc <system_call+38/3c>
Trace: c01080a0 <init>
Trace: c0107fe4 <this_must_match_init_task+1fe4/2000>
Trace: c0107fe4 <this_must_match_init_task+1fe4/2000>
Trace: c0108087 <cpu_idle+7/20>
Trace: c010025b <L6>
Code: c01207a2 <kfree+72/1e0>
Code: c01207a2 <kfree+72/1e0> 8b 69 08 movl 0x8(%ecx),%ebp
Code: c01207a5 <kfree+75/1e0> 81 fd 2b 2f c3 cmpl $0xa5c32f2b,%ebp
Code: c01207ab <kfree+7b/1e0> 0f 85 ef 00 00 jne c01208a0 <kfree+170/1e0>
Code: c01207b7 <kfree+87/1e0> 8b 69 0c movl 0xc(%ecx),%ebp
Code: c01207ba <kfree+8a/1e0> 85 ed testl %ebp,%ebp
Cannot read eip address from EIP: line. Is this a valid oops file?

-- 
Frank Sweetser rasmusin at wpi.edu fsweetser at blee.net | PGP key available
paramount.res.wpi.net RH 5.0 kernel 2.0.33/2.1.96   i586 | at public servers
"I think, therefore I am." -Dilbert
"But you're not me, therefore you don't matter." -Dogbert

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu