Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
20 lines of C code can kill ALL 2.6.xx kernels and most 2.4.
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
xiando
n00b
n00b


Joined: 29 Feb 2004
Posts: 19
Location: EU

PostPosted: Sat Jun 12, 2004 3:28 am    Post subject: 20 lines of C code can kill ALL 2.6.xx kernels and most 2.4. Reply with quote

New Kernel Crash-Exploit discovered
http://linuxreviews.org/news/2004-06-11_kernel_crash/
writes It is unclear why the Gentoo patch/version of the 2.4.26 kernel is safe using this config...

I do now know WHY but this is the ONLY kernel I know about that can not be crashed by anyone with shell access on a Linux server.

Kernels that can be killed (system freeze) by any remote user with SSH access include:

* Linux 2.6.x
o Linux 2.6.7-rc2
o Linux 2.6.6 (all versions)
o Linux 2.6.6 SMP (verified by riven)
o Linux 2.6.5-gentoo (verified by RatiX)
o Linux 2.6.5-mm6 - (verified by Mariux)
* Linux 2.4.2x
o Linux 2.4.26 vanilla
o Linux 2.4.26-rc1 vanilla
o Linux 2.4.22

:-/ As said, 2.4.26-gentoo does not have this problem. I would like to know why, and I would like the kind Gentoo developers to assist the kernel devlopers in securing the linux kernel.
Back to top
View user's profile Send private message
HydroSan
l33t
l33t


Joined: 04 Mar 2004
Posts: 764
Location: The Kremlin (aka Canada)

PostPosted: Sat Jun 12, 2004 6:23 am    Post subject: Reply with quote

Is this a GCC error, or a Kernel error? Or both? I'm guessing that the Kernel would be patched either way.
_________________
I was a Gangster for Capitalism, by Major General Smedley Butler.

Server status: Currently down, being replaced with fresh install - 20% completed.
Back to top
View user's profile Send private message
ikaro
Advocate
Advocate


Joined: 14 Jul 2003
Posts: 2527
Location: Denmark

PostPosted: Sat Jun 12, 2004 7:03 am    Post subject: Reply with quote

i just tried it on my box :x

2.6.7-rc3-mm1 + some extras and the bug works.
_________________
linux: #232767
Back to top
View user's profile Send private message
dhurt
Apprentice
Apprentice


Joined: 14 May 2003
Posts: 278
Location: Davis, CA

PostPosted: Sat Jun 12, 2004 7:05 am    Post subject: Reply with quote

Just for grins tested it on my laptop. Worked with the 3 different kernels that I have on here.

Love 2.6.6
mm-sources 2.6.7
Gentoo 2.6.5
_________________
"And isn't sanity really just a one-trick pony, anyway? I mean, all you get is one trick, rational thinking, but when you're good and crazy, ooh ooh ooh, the sky's the limit!" -- The Tick


Last edited by dhurt on Sat Jun 12, 2004 11:53 am; edited 1 time in total
Back to top
View user's profile Send private message
Hypnos
Advocate
Advocate


Joined: 18 Jul 2002
Posts: 2889
Location: Omnipresent

PostPosted: Sat Jun 12, 2004 7:34 am    Post subject: Reply with quote

vanilla 2.6.6 + ACPI

This disturbs me. It might very well be a gcc bug, but isn't something wrong with the kernel process security model if an exception can crash a system?
_________________
Personal overlay | Simple backup scheme
Back to top
View user's profile Send private message
neuron
Advocate
Advocate


Joined: 28 May 2002
Posts: 2371

PostPosted: Sat Jun 12, 2004 7:57 am    Post subject: Reply with quote

Hypnos wrote:
vanilla 2.6.6 + ACPI

This disturbs me. It might very well be a gcc bug, but isn't something wrong with the kernel process security model if an exception can crash a system?


simple enough to find out really, use it and see if magic keys still work, if they do the kernel is running.
Back to top
View user's profile Send private message
Hypnos
Advocate
Advocate


Joined: 18 Jul 2002
Posts: 2889
Location: Omnipresent

PostPosted: Sat Jun 12, 2004 11:19 am    Post subject: Reply with quote

neuron wrote:
Hypnos wrote:
vanilla 2.6.6 + ACPI

This disturbs me. It might very well be a gcc bug, but isn't something wrong with the kernel process security model if an exception can crash a system?


simple enough to find out really, use it and see if magic keys still work, if they do the kernel is running.

Eh, don't want to test -- ext3 buffers aren't fully flushed on "sync".

In any case, having to use sysrq is not an acceptable.
_________________
Personal overlay | Simple backup scheme
Back to top
View user's profile Send private message
neuron
Advocate
Advocate


Joined: 28 May 2002
Posts: 2371

PostPosted: Sat Jun 12, 2004 11:54 am    Post subject: Reply with quote

Hypnos wrote:
neuron wrote:
Hypnos wrote:
vanilla 2.6.6 + ACPI

This disturbs me. It might very well be a gcc bug, but isn't something wrong with the kernel process security model if an exception can crash a system?


simple enough to find out really, use it and see if magic keys still work, if they do the kernel is running.

Eh, don't want to test -- ext3 buffers aren't fully flushed on "sync".

In any case, having to use sysrq is not an acceptable.


of course not, I meant to test for someone who's in position to do so (for example using a livecd, or in a virtual machine)
Back to top
View user's profile Send private message
dhurt
Apprentice
Apprentice


Joined: 14 May 2003
Posts: 278
Location: Davis, CA

PostPosted: Sat Jun 12, 2004 12:21 pm    Post subject: Reply with quote

I am not sure what process controls the network card, but after running the program my laptop will still respond to a ping. That is the only responce that I get out of the computer.
_________________
"And isn't sanity really just a one-trick pony, anyway? I mean, all you get is one trick, rational thinking, but when you're good and crazy, ooh ooh ooh, the sky's the limit!" -- The Tick
Back to top
View user's profile Send private message
Lisandro
Apprentice
Apprentice


Joined: 07 Mar 2003
Posts: 154
Location: Rosario, SFE, Argentina

PostPosted: Sat Jun 12, 2004 12:54 pm    Post subject: Reply with quote

I just came across this bug myself... can't try it because i'm not at home and i'm working via SSH, but it seems to be confirmed. It makes me uneasy that no one seems to know if this is a GCC bug, a kernel one, or a combination of both, at least yet....
Back to top
View user's profile Send private message
codemaker
Guru
Guru


Joined: 03 Jun 2004
Posts: 398
Location: Lisboa, Portugal

PostPosted: Sat Jun 12, 2004 1:05 pm    Post subject: Reply with quote

HydroSan wrote:
Is this a GCC error, or a Kernel error? Or both? I'm guessing that the Kernel would be patched either way.


Even if it is a gcc bug, the kernel shouldn't be vulnerable to defective applications that can be run by a user. So I say that is at least a kernel bug.
Back to top
View user's profile Send private message
nizar
Apprentice
Apprentice


Joined: 19 Dec 2003
Posts: 268
Location: localhost

PostPosted: Sat Jun 12, 2004 1:28 pm    Post subject: Reply with quote

Just tried it and it worked

kernel 2.6.6
Gentoo Base System version 1.4.16
gcc (GCC) 3.3.3 20040412 (Gentoo Linux 3.3.3-r6, ssp-3.3.2-2, pie-8.7.6)
Back to top
View user's profile Send private message
nathandial
n00b
n00b


Joined: 25 May 2004
Posts: 22
Location: Birmingham, AL USA

PostPosted: Sat Jun 12, 2004 2:13 pm    Post subject: Reply with quote

Until I tried this, I didn't realize how strange it was for Linux to lock up. It felt like ... like Windows.

:shudder:
Back to top
View user's profile Send private message
ikaro
Advocate
Advocate


Joined: 14 Jul 2003
Posts: 2527
Location: Denmark

PostPosted: Sat Jun 12, 2004 2:46 pm    Post subject: Reply with quote

and i tried with the SysREQ and yes the system reboots, so the kernel stil responds to keyboard input, .. only that key combination ;)
_________________
linux: #232767
Back to top
View user's profile Send private message
HydroSan
l33t
l33t


Joined: 04 Mar 2004
Posts: 764
Location: The Kremlin (aka Canada)

PostPosted: Sat Jun 12, 2004 5:26 pm    Post subject: Reply with quote

Well, five bucks says it'll already be patched in 2.6.7 when it's release, so no worries.
_________________
I was a Gangster for Capitalism, by Major General Smedley Butler.

Server status: Currently down, being replaced with fresh install - 20% completed.
Back to top
View user's profile Send private message
Tii
l33t
l33t


Joined: 02 Jan 2004
Posts: 733

PostPosted: Sat Jun 12, 2004 8:27 pm    Post subject: Reply with quote

My 2.4.25-selinux-r2 is went down like a baby. Most disturbing.
Back to top
View user's profile Send private message
grantangi
n00b
n00b


Joined: 18 Jan 2004
Posts: 32
Location: 52°00'165" N 8°34'365" E

PostPosted: Sat Jun 12, 2004 9:24 pm    Post subject: Reply with quote

I just tested it on my machine and it hung...

But I could reboot it with CTRL-ALT-DEL and even work on the machine when I telneted in from my other machine. I couldn't find any strange entries in any logs but I wasn't able to kill the process either.

I also checked some of the data in /proc but couldn't find anything anormal so far...

System:

Kernel gentoo-dev-sources 2.6.6 (gcc version 3.3.2 20031218 (Gentoo Linux 3.3.2-r5, propolice-3.3-7)) #3 SMP + noirqdebug
baselayout-1.9.4-r2
Back to top
View user's profile Send private message
nizar
Apprentice
Apprentice


Joined: 19 Dec 2003
Posts: 268
Location: localhost

PostPosted: Sat Jun 12, 2004 9:46 pm    Post subject: Reply with quote

I'm trying to find entries in the logs also but nothing there!
Back to top
View user's profile Send private message
Tii
l33t
l33t


Joined: 02 Jan 2004
Posts: 733

PostPosted: Sat Jun 12, 2004 9:49 pm    Post subject: Reply with quote

I also tried selinux-2.4.26 and it is also affected (no suprise). I tried to ssh to the box but that didn't seem to work and I was able to get no response to any keys I tried. Hopefully they get a pacth for that soon. It's not such a big deal for me as only I and some friends have access to the computer (and they wouldn't want to crash it) but I'll still sleep better when I know that this is no longer an issue. There's some explanation for those who understand anything about it:
http://marc.theaimsgroup.com/?l=linux-kernel&m=108704809114434&w=2

edit: Of course you can't ssh to the box if you haven't got the daemon started. I'll blame the fact that it's over midnight here and I'm really tired. I'll give the ssh thing another go though before I go to bed.
edit2: Too tired. It's half past one already and my emerge sync seems to be never-ending. Bummer.


Last edited by Tii on Sat Jun 12, 2004 10:26 pm; edited 2 times in total
Back to top
View user's profile Send private message
Hypnos
Advocate
Advocate


Joined: 18 Jul 2002
Posts: 2889
Location: Omnipresent

PostPosted: Sat Jun 12, 2004 10:12 pm    Post subject: Reply with quote

Derryth wrote:
[...] There's some explanation for those who understand anything about it:
http://marc.theaimsgroup.com/?l=linux-kernel&m=108704809114434&w=2

I don't understand the particulars, but the code manages to create an FPU fault in kernel space, and then the kernel trips on "fwait" which raises an exception. Perhaps magic key/ctl-alt-del still works because it's a lower control which kills the offending thread.
_________________
Personal overlay | Simple backup scheme
Back to top
View user's profile Send private message
dioxmat
Bodhisattva
Bodhisattva


Joined: 04 May 2002
Posts: 709
Location: /home/mat

PostPosted: Mon Jun 14, 2004 3:13 pm    Post subject: Reply with quote

Trivial patch:
http://marc.theaimsgroup.com/?l=bk-commits-head&m=108709606126541&w=2
and for x86-64 too:
http://marc.theaimsgroup.com/?l=bk-commits-head&m=108713580130848&w=2
_________________
mat
Back to top
View user's profile Send private message
grantangi
n00b
n00b


Joined: 18 Jan 2004
Posts: 32
Location: 52°00'165" N 8°34'365" E

PostPosted: Mon Jun 14, 2004 4:03 pm    Post subject: Reply with quote

dioxmat wrote:
Trivial patch:
http://marc.theaimsgroup.com/?l=bk-commits-head&m=108709606126541&w=2
and for x86-64 too:
http://marc.theaimsgroup.com/?l=bk-commits-head&m=108713580130848&w=2


Yep... :D :D :D ...works like a charm...

See ya
Udo
Back to top
View user's profile Send private message
Lews_Therin
l33t
l33t


Joined: 03 Oct 2003
Posts: 657
Location: Banned

PostPosted: Mon Jun 14, 2004 4:48 pm    Post subject: Reply with quote

dioxmat wrote:
Trivial patch:
http://marc.theaimsgroup.com/?l=bk-commits-head&m=108709606126541&w=2
and for x86-64 too:
http://marc.theaimsgroup.com/?l=bk-commits-head&m=108713580130848&w=2


I have a new "you know you run Linux when..." line.

Quote:
You know you run Linux when the latest and only major bug is crushed within two days
Back to top
View user's profile Send private message
Red Sparrow
Tux's lil' helper
Tux's lil' helper


Joined: 05 Feb 2004
Posts: 128
Location: Greeley, CO

PostPosted: Mon Jun 14, 2004 6:42 pm    Post subject: Reply with quote

Doesn't compile on PPC either.

(- Steve -)
Back to top
View user's profile Send private message
allucid
Veteran
Veteran


Joined: 02 Nov 2002
Posts: 1314
Location: atlanta

PostPosted: Mon Jun 14, 2004 7:32 pm    Post subject: Reply with quote

it only applies to the x86 architecture.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum