View previous topic :: View next topic |
Author |
Message |
xiando n00b
Joined: 29 Feb 2004 Posts: 19 Location: EU
|
Posted: Sat Jun 12, 2004 3:28 am Post subject: 20 lines of C code can kill ALL 2.6.xx kernels and most 2.4. |
|
|
New Kernel Crash-Exploit discovered
http://linuxreviews.org/news/2004-06-11_kernel_crash/
writes It is unclear why the Gentoo patch/version of the 2.4.26 kernel is safe using this config...
I do now know WHY but this is the ONLY kernel I know about that can not be crashed by anyone with shell access on a Linux server.
Kernels that can be killed (system freeze) by any remote user with SSH access include:
* Linux 2.6.x
o Linux 2.6.7-rc2
o Linux 2.6.6 (all versions)
o Linux 2.6.6 SMP (verified by riven)
o Linux 2.6.5-gentoo (verified by RatiX)
o Linux 2.6.5-mm6 - (verified by Mariux)
* Linux 2.4.2x
o Linux 2.4.26 vanilla
o Linux 2.4.26-rc1 vanilla
o Linux 2.4.22
:-/ As said, 2.4.26-gentoo does not have this problem. I would like to know why, and I would like the kind Gentoo developers to assist the kernel devlopers in securing the linux kernel. |
|
Back to top |
|
|
HydroSan l33t
Joined: 04 Mar 2004 Posts: 764 Location: The Kremlin (aka Canada)
|
Posted: Sat Jun 12, 2004 6:23 am Post subject: |
|
|
Is this a GCC error, or a Kernel error? Or both? I'm guessing that the Kernel would be patched either way. _________________ I was a Gangster for Capitalism, by Major General Smedley Butler.
Server status: Currently down, being replaced with fresh install - 20% completed. |
|
Back to top |
|
|
ikaro Advocate
Joined: 14 Jul 2003 Posts: 2527 Location: Denmark
|
Posted: Sat Jun 12, 2004 7:03 am Post subject: |
|
|
i just tried it on my box
2.6.7-rc3-mm1 + some extras and the bug works. _________________ linux: #232767 |
|
Back to top |
|
|
dhurt Apprentice
Joined: 14 May 2003 Posts: 278 Location: Davis, CA
|
Posted: Sat Jun 12, 2004 7:05 am Post subject: |
|
|
Just for grins tested it on my laptop. Worked with the 3 different kernels that I have on here.
Love 2.6.6
mm-sources 2.6.7
Gentoo 2.6.5 _________________ "And isn't sanity really just a one-trick pony, anyway? I mean, all you get is one trick, rational thinking, but when you're good and crazy, ooh ooh ooh, the sky's the limit!" -- The Tick
Last edited by dhurt on Sat Jun 12, 2004 11:53 am; edited 1 time in total |
|
Back to top |
|
|
Hypnos Advocate
Joined: 18 Jul 2002 Posts: 2889 Location: Omnipresent
|
Posted: Sat Jun 12, 2004 7:34 am Post subject: |
|
|
vanilla 2.6.6 + ACPI
This disturbs me. It might very well be a gcc bug, but isn't something wrong with the kernel process security model if an exception can crash a system? _________________ Personal overlay | Simple backup scheme |
|
Back to top |
|
|
neuron Advocate
Joined: 28 May 2002 Posts: 2371
|
Posted: Sat Jun 12, 2004 7:57 am Post subject: |
|
|
Hypnos wrote: | vanilla 2.6.6 + ACPI
This disturbs me. It might very well be a gcc bug, but isn't something wrong with the kernel process security model if an exception can crash a system? |
simple enough to find out really, use it and see if magic keys still work, if they do the kernel is running. |
|
Back to top |
|
|
Hypnos Advocate
Joined: 18 Jul 2002 Posts: 2889 Location: Omnipresent
|
Posted: Sat Jun 12, 2004 11:19 am Post subject: |
|
|
neuron wrote: | Hypnos wrote: | vanilla 2.6.6 + ACPI
This disturbs me. It might very well be a gcc bug, but isn't something wrong with the kernel process security model if an exception can crash a system? |
simple enough to find out really, use it and see if magic keys still work, if they do the kernel is running. |
Eh, don't want to test -- ext3 buffers aren't fully flushed on "sync".
In any case, having to use sysrq is not an acceptable. _________________ Personal overlay | Simple backup scheme |
|
Back to top |
|
|
neuron Advocate
Joined: 28 May 2002 Posts: 2371
|
Posted: Sat Jun 12, 2004 11:54 am Post subject: |
|
|
Hypnos wrote: | neuron wrote: | Hypnos wrote: | vanilla 2.6.6 + ACPI
This disturbs me. It might very well be a gcc bug, but isn't something wrong with the kernel process security model if an exception can crash a system? |
simple enough to find out really, use it and see if magic keys still work, if they do the kernel is running. |
Eh, don't want to test -- ext3 buffers aren't fully flushed on "sync".
In any case, having to use sysrq is not an acceptable. |
of course not, I meant to test for someone who's in position to do so (for example using a livecd, or in a virtual machine) |
|
Back to top |
|
|
dhurt Apprentice
Joined: 14 May 2003 Posts: 278 Location: Davis, CA
|
Posted: Sat Jun 12, 2004 12:21 pm Post subject: |
|
|
I am not sure what process controls the network card, but after running the program my laptop will still respond to a ping. That is the only responce that I get out of the computer. _________________ "And isn't sanity really just a one-trick pony, anyway? I mean, all you get is one trick, rational thinking, but when you're good and crazy, ooh ooh ooh, the sky's the limit!" -- The Tick |
|
Back to top |
|
|
Lisandro Apprentice
Joined: 07 Mar 2003 Posts: 154 Location: Rosario, SFE, Argentina
|
Posted: Sat Jun 12, 2004 12:54 pm Post subject: |
|
|
I just came across this bug myself... can't try it because i'm not at home and i'm working via SSH, but it seems to be confirmed. It makes me uneasy that no one seems to know if this is a GCC bug, a kernel one, or a combination of both, at least yet.... |
|
Back to top |
|
|
codemaker Guru
Joined: 03 Jun 2004 Posts: 398 Location: Lisboa, Portugal
|
Posted: Sat Jun 12, 2004 1:05 pm Post subject: |
|
|
HydroSan wrote: | Is this a GCC error, or a Kernel error? Or both? I'm guessing that the Kernel would be patched either way. |
Even if it is a gcc bug, the kernel shouldn't be vulnerable to defective applications that can be run by a user. So I say that is at least a kernel bug. |
|
Back to top |
|
|
nizar Apprentice
Joined: 19 Dec 2003 Posts: 268 Location: localhost
|
Posted: Sat Jun 12, 2004 1:28 pm Post subject: |
|
|
Just tried it and it worked
kernel 2.6.6
Gentoo Base System version 1.4.16
gcc (GCC) 3.3.3 20040412 (Gentoo Linux 3.3.3-r6, ssp-3.3.2-2, pie-8.7.6) |
|
Back to top |
|
|
nathandial n00b
Joined: 25 May 2004 Posts: 22 Location: Birmingham, AL USA
|
Posted: Sat Jun 12, 2004 2:13 pm Post subject: |
|
|
Until I tried this, I didn't realize how strange it was for Linux to lock up. It felt like ... like Windows.
:shudder: |
|
Back to top |
|
|
ikaro Advocate
Joined: 14 Jul 2003 Posts: 2527 Location: Denmark
|
Posted: Sat Jun 12, 2004 2:46 pm Post subject: |
|
|
and i tried with the SysREQ and yes the system reboots, so the kernel stil responds to keyboard input, .. only that key combination _________________ linux: #232767 |
|
Back to top |
|
|
HydroSan l33t
Joined: 04 Mar 2004 Posts: 764 Location: The Kremlin (aka Canada)
|
Posted: Sat Jun 12, 2004 5:26 pm Post subject: |
|
|
Well, five bucks says it'll already be patched in 2.6.7 when it's release, so no worries. _________________ I was a Gangster for Capitalism, by Major General Smedley Butler.
Server status: Currently down, being replaced with fresh install - 20% completed. |
|
Back to top |
|
|
Tii l33t
Joined: 02 Jan 2004 Posts: 733
|
Posted: Sat Jun 12, 2004 8:27 pm Post subject: |
|
|
My 2.4.25-selinux-r2 is went down like a baby. Most disturbing. |
|
Back to top |
|
|
grantangi n00b
Joined: 18 Jan 2004 Posts: 32 Location: 52°00'165" N 8°34'365" E
|
Posted: Sat Jun 12, 2004 9:24 pm Post subject: |
|
|
I just tested it on my machine and it hung...
But I could reboot it with CTRL-ALT-DEL and even work on the machine when I telneted in from my other machine. I couldn't find any strange entries in any logs but I wasn't able to kill the process either.
I also checked some of the data in /proc but couldn't find anything anormal so far...
System:
Kernel gentoo-dev-sources 2.6.6 (gcc version 3.3.2 20031218 (Gentoo Linux 3.3.2-r5, propolice-3.3-7)) #3 SMP + noirqdebug
baselayout-1.9.4-r2 |
|
Back to top |
|
|
nizar Apprentice
Joined: 19 Dec 2003 Posts: 268 Location: localhost
|
Posted: Sat Jun 12, 2004 9:46 pm Post subject: |
|
|
I'm trying to find entries in the logs also but nothing there! |
|
Back to top |
|
|
Tii l33t
Joined: 02 Jan 2004 Posts: 733
|
Posted: Sat Jun 12, 2004 9:49 pm Post subject: |
|
|
I also tried selinux-2.4.26 and it is also affected (no suprise). I tried to ssh to the box but that didn't seem to work and I was able to get no response to any keys I tried. Hopefully they get a pacth for that soon. It's not such a big deal for me as only I and some friends have access to the computer (and they wouldn't want to crash it) but I'll still sleep better when I know that this is no longer an issue. There's some explanation for those who understand anything about it:
http://marc.theaimsgroup.com/?l=linux-kernel&m=108704809114434&w=2
edit: Of course you can't ssh to the box if you haven't got the daemon started. I'll blame the fact that it's over midnight here and I'm really tired. I'll give the ssh thing another go though before I go to bed.
edit2: Too tired. It's half past one already and my emerge sync seems to be never-ending. Bummer.
Last edited by Tii on Sat Jun 12, 2004 10:26 pm; edited 2 times in total |
|
Back to top |
|
|
Hypnos Advocate
Joined: 18 Jul 2002 Posts: 2889 Location: Omnipresent
|
Posted: Sat Jun 12, 2004 10:12 pm Post subject: |
|
|
I don't understand the particulars, but the code manages to create an FPU fault in kernel space, and then the kernel trips on "fwait" which raises an exception. Perhaps magic key/ctl-alt-del still works because it's a lower control which kills the offending thread. _________________ Personal overlay | Simple backup scheme |
|
Back to top |
|
|
dioxmat Bodhisattva
Joined: 04 May 2002 Posts: 709 Location: /home/mat
|
|
Back to top |
|
|
grantangi n00b
Joined: 18 Jan 2004 Posts: 32 Location: 52°00'165" N 8°34'365" E
|
Posted: Mon Jun 14, 2004 4:03 pm Post subject: |
|
|
Yep... ...works like a charm...
See ya
Udo |
|
Back to top |
|
|
Lews_Therin l33t
Joined: 03 Oct 2003 Posts: 657 Location: Banned
|
Posted: Mon Jun 14, 2004 4:48 pm Post subject: |
|
|
I have a new "you know you run Linux when..." line.
Quote: | You know you run Linux when the latest and only major bug is crushed within two days |
|
|
Back to top |
|
|
Red Sparrow Tux's lil' helper
Joined: 05 Feb 2004 Posts: 128 Location: Greeley, CO
|
Posted: Mon Jun 14, 2004 6:42 pm Post subject: |
|
|
Doesn't compile on PPC either.
(- Steve -) |
|
Back to top |
|
|
allucid Veteran
Joined: 02 Nov 2002 Posts: 1314 Location: atlanta
|
Posted: Mon Jun 14, 2004 7:32 pm Post subject: |
|
|
it only applies to the x86 architecture. |
|
Back to top |
|
|
|