Date: 4 May 2004 15:51:30 +0200
From: SecuriTeam <support@securiteam.com>
To: list@securiteam.com
Subject: [UNIX] PaX Linux Kernel Patch DoS
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
PaX Linux Kernel Patch DoS
------------------------------------------------------------------------
SUMMARY
PaX is a collection of intrusion prevention patches for the Linux Kernel.
Among others it can disable execution of code from specific memory pages
that can help prevent buffer overflow exploitations.
A bug in the PaX kernel patch allows for a denial of service condition on
the kernel that effectively freezes the machine.
DETAILS
Vulnerable Systems:
* PaX kernel patch for the Linux kernel 2.6, versions prior to 2004.05.01
Immune Systems:
* PaX kernel patch version 2004.05.01
The denial-of-service condition arises when ASLR is enabled. The bug
causes the kernel to enter an infinite loop. Part of the relevant code is
presented below:
'linux/mm/mmap.c'
if (start_addr != TASK_UNMAPPED_BASE) {
#ifdef CONFIG_PAX_RANDMMAP
if (current->flags & PF_PAX_RANDMMAP)
start_addr = addr =
TASK_UNMAPPED_BASE + mm->delta_mmap;
else
#endif
start_addr = addr = TASK_UNMAPPED_BASE;
goto full_search;
}
return -ENOMEM;
Vendor Status:
Gr-Security are aware of the problem and have already released a newer
version. Also, a patch can be found at
<http://pax.grsecurity.net/pax-linux-2.6.5-200405011700.patch>;
http://pax.grsecurity.net/pax-linux-2.6.5-200405011700.patch.
ADDITIONAL INFORMATION
The information has been provided by <mailto:chris@cr-secure.net>
ChrisR-.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
