Goetz Babin-Ebell dijo [Fri, Dec 05, 2003 at 10:31:27PM +0100]: > >I've written a linux kernel module that can be used to hot fix a > >Linux system for the bug in do_brk. It scans the > >kernel space and replaces jmp and calls to do_brk > >to point to a wrapper routine instead. It also maps > >the symbol table to point to the wrapper. This only > >works on x86 and it has only been tested with RH kernels > >2.4.18-27.7.xsmp and 2.4.20-20.7smp. It is quite possible > >this could crash or screw-up a system, so use at your own > >risk. I've tested the module against the proof of concept code > >written and posted by Christophe Devine. The module catches > >the exploit and logs the attempt. > > It would be less intrusive to the kernel to supply a fixed do_brk() > and replace the do_brk with a jump to your version. > > This way you only have to touch one place > in the kernel space (and no guesswork, no modify > of kernel data that might look like a pointer to do_brk() > but is really something else...) Not only that - In order to be really effective, the hotfix would require to remain active and check each module loaded into the kernel, as modules might point to the real do_brk() call. Yes, it becomes _much_ harder for an intruder to exploit it, but the patch is not perfect. ...But anyway, it is quite welcome, a very valuable work. Of course, the only way out of troubles is to install a new kernel. Sadly, many people handle uptimes as pissing contests and disregard updating their systems. Greetings, -- Gunnar Wolf - gwolf@gwolf.cx - (+52-55)5630-9700 ext. 1366 PGP key 1024D/8BB527AF 2001-10-23 Fingerprint: 0C79 D2D1 2C4E 9CE4 5973 F800 D80E F35A 8BB5 27AF
