Re: 2.2.0 SECURITY --- narrowing down the problem

Max (max@Linuz.sns.it)
Wed, 27 Jan 1999 13:59:32 +0100 (MET)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Guest section DW: "Re: PROBLEM: Kernel 2.2.0 destroyed filesystem"
Previous message: Mike A. Harris: "RealAudio failure in 2.2.0?"

On Wed, 27 Jan 1999, Jeremy Fitzhardinge wrote:

>Certainly the kernel code checks that the ELF file is either ET_EXEC or ET_DYN
>(and not ET_CORE). If ld-linux.so is doing a user-space exec, then I guess it
>might forget to check the ELF file type and just go and map the segments as it
>finds them... but all that means is that you get a strangely shaped address
>space. Which means that if people are having problems then it can be
>reproduced in some other way.

I found a way to crash 2.2.0 that looks *very* related...
I wrote a tiny program in assembler. If linked normally, it works
(massaging the ELF section permissions to mmap it read/write)
If linked with -Ttext 0xbffff054, the machine reboots *EVEN* if the program
is executed as normal user.

to reproduce: extract the Makefile and modunload.S, type 'make' and './modunload'

----------------------------- Makefile -----------------------------
all: modunload

%: %.S
gcc -o $@.s -E $<
gcc -o $@.o -c $@.s
ld -Ttext 0xbffff054 -o $@ -s $@.o
strip --remove-section=.data --remove-section=.bss $@

clean:
rm -f modunload.o modunload

------------------ modunload.S -------------------------------------
#include <asm/unistd.h>

#define INTERVAL 60 /* seconds */

#define MERGE(a,b) a##b
#define SYS(nr) movl $MERGE(__NR_,nr),%eax ; int $0x80

.globl timeout
.globl rootdir
.globl _start
.text
.align 4
_start:
/* fork in the background, as all daemons do */
SYS(fork)
xorl %ebx,%ebx
cmpl %ebx,%eax
jz daemon
SYS(exit)
daemon:
/* close all fds */
SYS(close)
incl %ebx
SYS(close)
incl %ebx
SYS(close)

/* detach from tty */
SYS(setsid)
/* chdir("/") */
movl $rootdir,%ebx
SYS(chdir)

xorl %ebx,%ebx
xorl %ecx,%ecx
xorl %edx,%edx
xorl %esi,%esi
movl $timeout,%edi
loop:
xorl %ebx,%ebx
movl %ebx,4(%edi)
movl $INTERVAL,(%edi)
SYS(_newselect)

SYS(delete_module)

jmp loop

.align 4
timeout:
.long INTERVAL
.long 0
rootdir:
.string "/"

---------------------------------------------------------------------------

This worked *fine* on 2.2.0-pre7.
Hope it helps,

Massimiliano Ghilardi

----------------------------------------------------------------
| I have yet to meet a person who had a bad experience of Linux. |
| Most have never had an experience. |
----------------------------------------------------------------

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Guest section DW: "Re: PROBLEM: Kernel 2.2.0 destroyed filesystem"
Previous message: Mike A. Harris: "RealAudio failure in 2.2.0?"