Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux 2.4.24 Release Fixes Root Vulnerability

Posted by simoniker on from the version-plus-plus dept.

diegocgteleline.es writes "Linux Kernel 2.4.24 has been released and is available on kernel.org. It seems there's a bug in the mremap(2) system call, where a local user can get root privileges.The new version has been released only with the most important bugs fixed - the rest of the changes have been postponed (those changes include the XFS filesystem)."

25 of 436 comments (clear)

  1. Re:Article title misleading... by simoniker · · Score: 4, Informative

    Good point, article title now changed.

    s!

  2. Changelog by SuperDuG · · Score: 4, Informative
    List: linux-kernel
    Subject: linux-2.4.24 released
    From: Marcelo Tosatti
    Date: 2004-01-05 13:55:57

    - 2.4.24-rc1 was released as 2.4.24 with no changes.

    Summary of changes from v2.4.23 to v2.4.24-rc1

    <bjorn.helgaas:hp.com>:
    &nbs p; - Fix 2.4 EFI RTC oops

    <marcelo.tosatti:cyclades.com>:
    - Andrea Arcangeli: malicious users of mremap() syscall can gain priviledges

    <marcelo:logos.cnet>:
    - Harald Welte: Fix ipchains MASQUERADE oops
    - Change EXTRAVERSION to 2.4.24-rc1

    <trini:mvista.com>:
    - /dev/rtc can leak parts of kernel memory to unpriviledged users

    Jean Tourrilhes:
    - IrDA kernel log buster

    -
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/
    Sorry it just seemed a bit more informative than the "YES" reply ...
    --
    Ignore the "p2p is theft" trolls, they're just uninformed
    1. Re:Changelog by Anonymous Coward · · Score: 1, Informative

      diff -urN linux-2.4.24-pre3/mm/mremap.c linux-2.4.24-rc1/mm/mremap.c
      --- linux-2.4.24-pre3/mm/mremap.c 2003-08-25 04:44:44.000000000 -0700
      +++ linux-2.4.24-rc1/mm/mremap.c 2004-01-05 04:14:19.000000000 -0800
      @@ -241,6 +241,13 @@

      if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
      goto out;
      + /*
      + * Allow new_len == 0 only if new_addr == addr
      + * to preserve truncation in place (that was working
      + * safe and some app may depend on it).
      + */
      + if (unlikely(!new_len && new_addr != addr))
      + goto out;

      /* Check if the location we're moving into overlaps the
      * old location at all, and fail if it does.

  3. Re:HOW DO I KNOW WHAT VERSION I'M RUNNING? by Zo0ok · · Score: 2, Informative

    #uname -a ...but I guess you are a troll...

  4. patch is very small - about 2K compressed by Anonymous Coward · · Score: 2, Informative
    This is a quick and simple fix.

    patch -p1 < patch-2.4.24
    make clean dep
    make bzImage modules_install

    Depending on your situation, configure your boot loader - grub or lilo - to recognize the new image.

  5. Re:Article title misleading... by mbyte · · Score: 5, Informative

    its been in the kernel since the 2.2 days .. the 2.2 series kernel's are also affected.

    read the synopsis: here
  6. Re:Anyone written an exploit yet? by Anonymous Coward · · Score: 3, Informative

    "Proof-of-concept exploit code has been created and successfully tested giving UID 0 shell on vulnerable systems."

    Just because the proof of concept exploit was created DOESN'T MEAN IT WAS RELEASED! If Linus and one other guy are the only ones with the proof of concept exploit, there is no reason to fear the script kiddies yet.

    They did NOT say if the reason for the fix was because someone released an exploit, or if the reason for the exploit is simply to prove the vulnerability works, and was not publically disseminated.

    Go STFU.

  7. Re:2.4.x? by Neon+Spiral+Injector · · Score: 4, Informative

    The bug has also been confirmed in 2.6.0-rc1. For those that have made the jump, a patch was just posted to the linux-kernel mailing list. I'm guessing -rc2 will follow soon.

  8. Re:2.4.x? by Neon+Spiral+Injector · · Score: 3, Informative

    Crud, that should have been 2.6.1-rc1 of course.

  9. Re:2.4.x? by Dimensio · · Score: 4, Informative

    Since you meant 2.6.1-rc1, I assume that it applies to 2.6.0?

    --
    STOP MISUSING APOSTROPHES, YOU MORONS!!!
  10. RedHat fixed orphaned versions by Kalak · · Score: 5, Informative

    Possibly due to the fact that the last kernel fix was a week ago, or just that the patch is minoor, or because RH is being kind to those of us who still have reasons to run RH 7.3 just yet, but look to RH for a kernel update if you need one for 7.x and 8 which are unsupported in 2004. Thanks RedHat. Saved me a panicked kernel decision. I desperately didn't want to return from a vacation to a timetable jump of a few weeks.

    --
    I am, and always will be, an idiot. Karma: Coma (mostly effected by .hack)
  11. Re:Well... by CommandNotFound · · Score: 4, Informative

    Also, is Linux more secure than Windows, because I hear a fair amount of Linux security holes more than Windows, or maybe I'm just not perceptive enough.

    All advanced operating systems can be insecure depending on configuration.

    However, regarding your specific question, you see more security exploits for Linux probably because Linux has both remote and local exploits; the vast majority are local exploits. A local exploit is usually only a concern in a multiuser mainframe-style environment where you have "trusted" users who can log in to the machine. These users can log in and use a local exploit to elevate their priviliges on the machine. If the user doesn't have a login account, they do not have the opportunity to perform the exploit. Local exploits generally use buffer overflows or hijack split-second temp files to do their nastiness.

    Windows generally does not operate in a multiuser fashion, so these exploits are not as pertinent. Having written Windows software for years, I can tell that if local exploits ever become a concern for Windows (e.g. if Windows ever goes multiuser in a big way, where a local user may want to exploit the machine), almost every Windows application will have big problems with local exploits, since they have been built assuming that the local system is single-user and temp files and registry entries are assumed to be safe.

  12. Re:Article title misleading... by Anonymous Coward · · Score: 1, Informative

    Simoniker is actually a pretty interesting guy, y'know ..

  13. RHN has new kernels for RH 7.1 to RH 8.0 by Erik_ · · Score: 3, Informative

    RedHat Network has patches for RH 7.3. From the RHN Errata page : "We have provided kernel updates for Red Hat Linux 7.1-8.0 with this advisory as these were prepared by us prior to December 31 2003. Please note that Red Hat Linux 7.1, 7.2, 7.3, and 8.0 have reached their end of life for errata support and no further errata will be issued for those distributions."

  14. Re:Mod parent back up please by ivan256 · · Score: 2, Informative

    It's also not being said enough that updates for local root exploits are practically pointless on single user systems. If you're the only one with access to your system, you don't need to apply this update, and in fact if somebody did manage to get access to such a single user system there are probably far easier ways for the attacker to gain privliges.... Like if you're in the sudoers file for example.

    The recent patches are only really important if you run a multi-user system and don't trust your users.

  15. Re:XFS Filesystem by Anonymous Coward · · Score: 2, Informative

    I think it's "special weapons and tactics"

  16. Re:XFS Filesystem by Elwood+P+Dowd · · Score: 3, Informative

    "Special weapons and training" yields 42 google hits, while "special weapons and tactics" yields 17,000.

    I'd say you've got the accepted definition.

    --

    There are no trails. There are no trees out here.
  17. Re:How do you patch? by pr00f · · Score: 2, Informative

    cd /usr/src/linux-2.4.23 ; patch -p1 /path/to/patch.diff

    Recompile and off you go.

  18. Re:How do you patch? by demi · · Score: 5, Informative

    Okay:

    1. Download patch to /usr/src
    2. cd /usr/src (since that's where you say your linux-2.4.23 is)
    3. bzip2 -dc patch-2.4.24.bz2 | patch -p0
    4. mv linux-2.4.23 linux-2.4.24
    5. cd linux-2.4.24
    6. Now build and install your kernel as you like it, just as you would from the virgin tarball (make depend; make however you make your kernel and modules).

    Hope that helps!

    --
    demi
  19. Re:How do you patch? by pr00f · · Score: 2, Informative

    Damn. < got removed. Sorry.

    patch -p1 < /path/to/patch.diff

  20. Trademarks are adjectives by tepples · · Score: 2, Informative

    Even so, "New Technology" is a name for that technology.

    No. "Windows NT" is a trademark. The law recommends using trademarks and service marks as adjectives. Even if the mark consists of initials, one of which would expand to a generic term for the product (such as "FS" in "XFS" or "T" in "NT"), the law still recommends following the mark with a spelled-out the generic term.

  21. Re:XFS Filesystem by pclminion · · Score: 2, Informative
    I don't know what you thought SWAT stood for, but none of the words are "team".

    No, that's the sanitized version of the acronym. SWAT originally meant Special Weapons Attack Team, but the acronym was quickly changed, probably for reasons of political correctness, to "Special Weapons and Tactics."

    Similarly to how they renamed the NMR machine to MRI, because people didn't feel comfortable stepping into a nuclear magnetic resonance device.

    Anyway, "SWAT team" is redundant.

  22. Re:Kernel patches as modules? by Anonymous Coward · · Score: 4, Informative
    I remember, back when the last ptrace bug was found, some kind soul created a kernel module that (a) renamed the current ptrace function to something else and (b) implemented a new wrapper function that first checked to see if you were root, before deciding whether to call the old ptrace. Slick!

    Modules (or really any third-party code regardless of method be it /dev/kmem or modules or whatever) having access to the syscall table of a running kernel is (1) evil, (2) nonportable - it won't work on many of our architectures, and (3) likely to become even harder as the kernel gurus try to defeat people doing stupid things like this.

    BTW, this also affects things like (why would you need this?) realtime virus scanners that hook syscalls. Please, don't do this. If the argument is that you need the machine to stay up because it's too important to reboot for a patch, then you definitely should not be inserting modules that *intentionally overwrite important chunks of kernel memory* because if there's the slightest thing wrong, your machine will either crash or begin to do bizarre things. You could end up with data corruption and/or loss for an extended period before you even realize it. Do not do this. It is not what you want. Believe me.

  23. Re:Proof-of-concept exploit code for x86 by devine10 · · Score: 2, Informative

    It means your kernel is vulnerable. Writing an exploit that yields root privileges is much harder though.

  24. Re:Article title misleading... by Lost+Race · · Score: 2, Informative
    I can't see how this applies to 2.2. In the new 2.4.24 patch to mremap, a new size of zero is explicitly allowed if new_addr==addr. In 2.2 there was no new_addr argument to mremap, so effectively new_addr==addr always. Is there a bug in 2.2's munmap that was fixed sometime in 2.3 or 2.4 but the fix never backported? That seems unlikely. I've examined 2.2.20 and 2.2.25 and they both look OK.

    For those of us who can't upgrade to the latest 2.4 kernels here is the mremap patch by itself. This applies cleanly to 2.4.21 and 2.4.22 (and probably most other 2.4 kernels as well).