寄托天下
查看: 2025|回复: 3
打印 上一主题 下一主题

[计算机] LINUX最新大漏洞 [复制链接]

Rank: 11Rank: 11Rank: 11Rank: 11

声望
3110
寄托币
48275
注册时间
2003-9-1
精华
44
帖子
1501

荣誉版主 GRE斩浪之魂 Golden Apple

跳转到指定楼层
楼主
发表于 2009-8-14 23:09:18 |只看该作者 |倒序浏览
http://lwn.net/Articles/347006/

Another kernel NULL pointer vulnerability[Posted August 13, 2009 by corbet]               


From: Tavis Ormandy <taviso-AT-sdf.lonestar.org>
To: full-disclosure-AT-lists.grok.org.uk, bugtraq-AT-securityfocus.com
Subject: Linux NULL pointer dereference due to incorrect proto_ops initializations
Date: Thu, 13 Aug 2009 20:57:53 +0200
Message-ID: <20090813185753.GA5961@sdf.lonestar.org>
Archive-link: Article, Thread              
Linux NULL pointer dereference due to incorrect proto_ops initializations
-------------------------------------------------------------------------

In the Linux kernel, each socket has an associated struct of operations
called proto_ops which contain pointers to functions implementing various
features, such as accept, bind, shutdown, and so on.

If an operation on a particular socket is unimplemented, they are expected
to point the associated function pointer to predefined stubs, for example if
the "accept" operation is undefined it would point to sock_no_accept(). However,
we have found that this is not always the case and some of these pointers are
left uninitialized.

This is not always a security issue, as the kernel validates the pointers at
the call site, such as this example from sock_splice_read:

static ssize_t sock_splice_read(struct file *file, loff_t *ppos,
                    struct pipe_inode_info *pipe, size_t len,
                unsigned int flags)
{
    struct socket *sock = file->private_data;

    if (unlikely(!sock->ops->splice_read))
        return -EINVAL;

    return sock->ops->splice_read(sock, ppos, pipe, len, flags);
}

But we have found an example where this is not the case; the sock_sendpage()
routine does not validate the function pointer is valid before dereferencing
it, and therefore relies on the correct initialization of the proto_ops
structure.

We have identified several examples where the initialization is incomplete:

- The SOCKOPS_WRAP macro defined in include/linux/net.h, which appears correct
  at first glance, was actually affected. This includes PF_APPLETALK, PF_IPX,
  PF_IRDA, PF_X25 and PF_AX25 families.

- Initializations were missing in other protocols, including PF_BLUETOOTH,
  PF_IUCV, PF_INET6 (with IPPROTO_SCTP), PF_PPPOX and PF_ISDN.

--------------------
Affected Software
------------------------

All Linux 2.4/2.6 versions since May 2001 are believed to be affected:

- Linux 2.4, from 2.4.4 up to and including 2.4.37.4
- Linux 2.6, from 2.6.0 up to and including 2.6.30.4

--------------------
Consequences
-----------------------

This issue is easily exploitable for local privilege escalation. In order to
exploit this, an attacker would create a mapping at address zero containing
code to be executed with privileges of the kernel, and then trigger a
vulnerable operation using a sequence like this:

/* ... */
    int fdin = mkstemp(template);
    int fdout = socket(PF_PPPOX, SOCK_DGRAM, 0);

    unlink(template);

    ftruncate(fdin, PAGE_SIZE);

    sendfile(fdout, fdin, NULL, PAGE_SIZE);
/* ... */

Please note, sendfile() is just one of many ways to cause a sendpage
operation on a socket.

Successful exploitation will lead to complete attacker control of the system.

-------------------
Mitigation
-----------------------

Recent kernels with mmap_min_addr support may prevent exploitation if
the sysctl vm.mmap_min_addr is set above zero. However, administrators
should be aware that LSM based mandatory access control systems, such
as SELinux, may alter this functionality.

It should also be noted that all kernels up to 2.6.30.2 are vulnerable to
published attacks against mmap_min_addr.

-------------------
Solution
-----------------------

Linus committed a patch correcting this issue on 13th August 2009.

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-...

-------------------
Credit
-----------------------

This bug was discovered by Tavis Ormandy and Julien Tinnes of the Google
Security Team.


--
-------------------------------------
taviso@sdf.lonestar.org | finger me for my gpg key.
-------------------------------------------------------
回应
0

使用道具 举报

Rank: 6Rank: 6

声望
18
寄托币
2817
注册时间
2006-4-11
精华
1
帖子
25
沙发
发表于 2009-11-5 15:40:30 |只看该作者
他们是怎么发现的?或者说,如何locate问题所在?

使用道具 举报

Rank: 11Rank: 11Rank: 11Rank: 11

声望
3110
寄托币
48275
注册时间
2003-9-1
精华
44
帖子
1501

荣誉版主 GRE斩浪之魂 Golden Apple

板凳
发表于 2009-11-7 01:20:42 |只看该作者
如何找漏洞也是一门学问。顶级黑客也不过是找漏洞比较厉害而已。

具体的方法有很多:静态分析,动态分析。最土(牛?)的直接读代码。

使用道具 举报

Rank: 9Rank: 9Rank: 9

声望
336
寄托币
955
注册时间
2006-3-31
精华
11
帖子
465

荣誉版主

地板
发表于 2009-11-7 03:52:11 |只看该作者
这种漏洞一般不是特意去检查而发现的
可能碰巧有人要基于这段代码进行开发才发现的


飞起来的时候幸福的感觉就来了!

使用道具 举报

RE: LINUX最新大漏洞 [修改]
您需要登录后才可以回帖 登录 | 立即注册

问答
Offer
投票
面经
最新
精华
转发
转发该帖子
LINUX最新大漏洞
https://bbs.gter.net/thread-996123-1-1.html
复制链接
发送
报offer 祈福 爆照
回顶部