Date: Wed, 27 Jan 1999 03:14:29 -0500 From: //Stany To: BUGTRAQ@netspace.org Subject: Re: 2.2.0 SECURITY (fwd) Later on down the thread there are other people then Dan Burcaw who say that the bug crashes their boxes too. I suggest reading the thread on Linux Kernel archives for more information. See information at the bottof of forwarded message for information. ---------- Forwarded message ---------- Date: Tue, 26 Jan 1999 22:08:03 -0700 (MST) >From: Dan Burcaw To: Richard Gooch Cc: linux-kernel@vger.rutgers.edu Subject: Re: 2.2.0 SECURITY This has been tested and causes crashes on: AMD K6-2 350 AMD K6-2 400 Intel 486 SX25 w/ P90 Overdrive On Wed, 27 Jan 1999, Richard Gooch wrote: > Dan Burcaw writes: > > > > There is a bug that works only on the 2.2.0 kernel that will allow root > > and non-root users to crash the machine (the system reboots). > > > > To replicate this bug do following: > > > > Take any core file, and as normal user or root run: ldd core > > > > The machine will reboot, saying that it cannot get execution permissions > > for ./core > > > > As far as I can tell, this problem only affects x86 machines running > > 2.2.0. I know that PPC is not affected. > > Just tried this on a dual PPro: > > % cat > try.c > void main () > { > * (unsigned int *) 0 = 0; > } > % cc -o try try.c > % ./try > Segmentation fault > % ldd core > % dmesg | tail -1 > perfmon: v0.4 (19990127) Richard Gooch (rgooch@atnf.csiro.au), 2 counters > > Nope, doesn't cause a reboot, panic, Oops or any problems > here. Running as root makes no difference. > > Regards, > > Richard.... > Dan Terra Firma Design & Terra Soft Solutions, Inc. voice (970) 416-9821 in Fort Collins email dburcaw@terraplex.com website http://www.terraplex.com/ - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/ -- +-----------------------------------------------------------------------------+ | Stanislav N. Vardomskiy - Procurator Odiosus Ex Infernis[TM] | | This message is brought to you by letters jey, ow, el and tee. | | Jolt! For all the sugar and twice the caffeine. | +-----------------------------------------------------------------------------+ -------------------------------------------------------------------------------- Date: Wed, 27 Jan 1999 19:19:01 +0000 From: Alan Cox To: BUGTRAQ@netspace.org Subject: Re: 2.2.0 SECURITY (fwd) > Later on down the thread there are other people then Dan Burcaw who say > that the bug crashes their boxes too. > > I suggest reading the thread on Linux Kernel archives for more > information. See information at the bottof of forwarded message for > information. Yep its real bug. The relevant info for early adopters is: >From: MOLNAR Ingo To: linux-kernel@vger.rutgers.edu, linux-smp@vger.rutgers.edu cc: Linus Torvalds , Alan Cox , "David S. Miller" Subject: [patch] 'coredump crash' fixed it was a very subtle bug and has nothing to do with coredumps at all, but it's very rare and the invalid coredump ELF layout accidentally triggered the bug. with the attached patch applied i get: [root@moon /root]# ldd core not a dynamic executable [root@moon /root]# just as expected. The reason why we crash and why it made the kernel reboot in such a nasty way was that munmap() did just a tad more work than necessary and we zapped 0xc0000000's page table entry ... that is a pretty vital piece of 4M virtual space on Linux ;) (erm, just dont ask me how i managed to debug this ;) -- mingo, running a hopefully much safer kernel now ;) --- linux/mm/mmap.c.orig Wed Jan 27 14:09:31 1999 +++ linux/mm/mmap.c Wed Jan 27 14:06:09 1999 @@ -558,7 +558,7 @@ unsigned long start, unsigned long end) { unsigned long first = start & PGDIR_MASK; - unsigned long last = (end & PGDIR_MASK) + PGDIR_SIZE; + unsigned long last = ((end-1) & PGDIR_MASK) + PGDIR_SIZE; if (!prev) { prev = mm->mmap; - Linux SMP list: FIRST see FAQ at http://www.irisa.fr/prive/mentre/smp-faq/ To Unsubscribe: send "unsubscribe linux-smp" to majordomo@vger.rutgers.edu -------------------------------------------------------------------------------- Date: Wed, 27 Jan 1999 05:41:59 +0000 From: Aaron Lehmann To: BUGTRAQ@netspace.org Subject: 2.2.0 SECURITY (fwd) A bug has been discovered in the recently released Linux 2.2.0. I suggest going back to Linux 2.0.36 until this nasty bug is fixed. It was later realized that this bug DOES also affect Linux 2.2.0ac1, but only if the core file has permissions 600. KeyID 1024D/73348CA0 Fingerprint 8EFC 7F10 F26C 55A8 458A 38B0 890F 384F 7334 8CA0 Public key available at http://www.vitelus.com/aaronl/pubkey.asc