20 lines of C code can kill ALL 2.6.xx kernels and most 2.4.

Message

xiando · Post by **xiando** » Sat Jun 12, 2004 3:28 am

New Kernel Crash-Exploit discovered
http://linuxreviews.org/news/2004-06-11_kernel_crash/
writes It is unclear why the Gentoo patch/version of the 2.4.26 kernel is safe using this config...

I do now know WHY but this is the ONLY kernel I know about that can not be crashed by anyone with shell access on a Linux server.

Kernels that can be killed (system freeze) by any remote user with SSH access include:

* Linux 2.6.x
o Linux 2.6.7-rc2
o Linux 2.6.6 (all versions)
o Linux 2.6.6 SMP (verified by riven)
o Linux 2.6.5-gentoo (verified by RatiX)
o Linux 2.6.5-mm6 - (verified by Mariux)
* Linux 2.4.2x
o Linux 2.4.26 vanilla
o Linux 2.4.26-rc1 vanilla
o Linux 2.4.22

:-/ As said, 2.4.26-gentoo does not have this problem. I would like to know why, and I would like the kind Gentoo developers to assist the kernel devlopers in securing the linux kernel.

HydroSan · Post by **HydroSan** » Sat Jun 12, 2004 6:23 am

Is this a GCC error, or a Kernel error? Or both? I'm guessing that the Kernel would be patched either way.

ikaro · Post by **ikaro** » Sat Jun 12, 2004 7:03 am

i just tried it on my box

2.6.7-rc3-mm1 + some extras and the bug works.

dhurt · Post by **dhurt** » Sat Jun 12, 2004 7:05 am

Just for grins tested it on my laptop. Worked with the 3 different kernels that I have on here.

Love 2.6.6
mm-sources 2.6.7
Gentoo 2.6.5

Hypnos · Post by **Hypnos** » Sat Jun 12, 2004 7:34 am

vanilla 2.6.6 + ACPI

This disturbs me. It might very well be a gcc bug, but isn't something wrong with the kernel process security model if an exception can crash a system?

neuron · Post by **neuron** » Sat Jun 12, 2004 7:57 am

Hypnos wrote:vanilla 2.6.6 + ACPI

This disturbs me. It might very well be a gcc bug, but isn't something wrong with the kernel process security model if an exception can crash a system?

simple enough to find out really, use it and see if magic keys still work, if they do the kernel is running.

Hypnos · Post by **Hypnos** » Sat Jun 12, 2004 11:19 am

neuron wrote:
Hypnos wrote:vanilla 2.6.6 + ACPI

This disturbs me. It might very well be a gcc bug, but isn't something wrong with the kernel process security model if an exception can crash a system?
simple enough to find out really, use it and see if magic keys still work, if they do the kernel is running.

Eh, don't want to test -- ext3 buffers aren't fully flushed on "sync".

In any case, having to use sysrq is not an acceptable.

neuron · Post by **neuron** » Sat Jun 12, 2004 11:54 am

Hypnos wrote:
neuron wrote:
Hypnos wrote:vanilla 2.6.6 + ACPI

This disturbs me. It might very well be a gcc bug, but isn't something wrong with the kernel process security model if an exception can crash a system?
simple enough to find out really, use it and see if magic keys still work, if they do the kernel is running.
Eh, don't want to test -- ext3 buffers aren't fully flushed on "sync".

In any case, having to use sysrq is not an acceptable.

of course not, I meant to test for someone who's in position to do so (for example using a livecd, or in a virtual machine)

dhurt · Post by **dhurt** » Sat Jun 12, 2004 12:21 pm

I am not sure what process controls the network card, but after running the program my laptop will still respond to a ping. That is the only responce that I get out of the computer.

Lisandro · Post by **Lisandro** » Sat Jun 12, 2004 12:54 pm

I just came across this bug myself... can't try it because i'm not at home and i'm working via SSH, but it seems to be confirmed. It makes me uneasy that no one seems to know if this is a GCC bug, a kernel one, or a combination of both, at least yet....

codemaker · Post by **codemaker** » Sat Jun 12, 2004 1:05 pm

HydroSan wrote:Is this a GCC error, or a Kernel error? Or both? I'm guessing that the Kernel would be patched either way.

Even if it is a gcc bug, the kernel shouldn't be vulnerable to defective applications that can be run by a user. So I say that is at least a kernel bug.

nizar · Post by **nizar** » Sat Jun 12, 2004 1:28 pm

Just tried it and it worked

kernel 2.6.6
Gentoo Base System version 1.4.16
gcc (GCC) 3.3.3 20040412 (Gentoo Linux 3.3.3-r6, ssp-3.3.2-2, pie-8.7.6)

nathandial · Post by **nathandial** » Sat Jun 12, 2004 2:13 pm

Until I tried this, I didn't realize how strange it was for Linux to lock up. It felt like ... like Windows.

:shudder:

ikaro · Post by **ikaro** » Sat Jun 12, 2004 2:46 pm

and i tried with the SysREQ and yes the system reboots, so the kernel stil responds to keyboard input, .. only that key combination

HydroSan · Post by **HydroSan** » Sat Jun 12, 2004 5:26 pm

Well, five bucks says it'll already be patched in 2.6.7 when it's release, so no worries.

Tii · Post by **Tii** » Sat Jun 12, 2004 8:27 pm

My 2.4.25-selinux-r2 is went down like a baby. Most disturbing.

grantangi · Post by **grantangi** » Sat Jun 12, 2004 9:24 pm

I just tested it on my machine and it hung...

But I could reboot it with CTRL-ALT-DEL and even work on the machine when I telneted in from my other machine. I couldn't find any strange entries in any logs but I wasn't able to kill the process either.

I also checked some of the data in /proc but couldn't find anything anormal so far...

System:

Kernel gentoo-dev-sources 2.6.6 (gcc version 3.3.2 20031218 (Gentoo Linux 3.3.2-r5, propolice-3.3-7)) #3 SMP + noirqdebug
baselayout-1.9.4-r2

nizar · Post by **nizar** » Sat Jun 12, 2004 9:46 pm

I'm trying to find entries in the logs also but nothing there!

Tii · Post by **Tii** » Sat Jun 12, 2004 9:49 pm

I also tried selinux-2.4.26 and it is also affected (no suprise). I tried to ssh to the box but that didn't seem to work and I was able to get no response to any keys I tried. Hopefully they get a pacth for that soon. It's not such a big deal for me as only I and some friends have access to the computer (and they wouldn't want to crash it) but I'll still sleep better when I know that this is no longer an issue. There's some explanation for those who understand anything about it:
http://marc.theaimsgroup.com/?l=linux-k ... 114434&w=2

edit: Of course you can't ssh to the box if you haven't got the daemon started. I'll blame the fact that it's over midnight here and I'm really tired. I'll give the ssh thing another go though before I go to bed.
edit2: Too tired. It's half past one already and my emerge sync seems to be never-ending. Bummer.

Hypnos · Post by **Hypnos** » Sat Jun 12, 2004 10:12 pm

Derryth wrote:[...] There's some explanation for those who understand anything about it:
http://marc.theaimsgroup.com/?l=linux-k ... 114434&w=2

I don't understand the particulars, but the code manages to create an FPU fault in kernel space, and then the kernel trips on "fwait" which raises an exception. Perhaps magic key/ctl-alt-del still works because it's a lower control which kills the offending thread.

dioxmat · Post by **dioxmat** » Mon Jun 14, 2004 3:13 pm

Trivial patch:
http://marc.theaimsgroup.com/?l=bk-comm ... 126541&w=2
and for x86-64 too:
http://marc.theaimsgroup.com/?l=bk-comm ... 130848&w=2

grantangi · Post by **grantangi** » Mon Jun 14, 2004 4:03 pm

dioxmat wrote:Trivial patch:
http://marc.theaimsgroup.com/?l=bk-comm ... 126541&w=2
and for x86-64 too:
http://marc.theaimsgroup.com/?l=bk-comm ... 130848&w=2

Yep...

...works like a charm...

See ya
Udo

Lews_Therin · Post by **Lews_Therin** » Mon Jun 14, 2004 4:48 pm

dioxmat wrote:Trivial patch:
http://marc.theaimsgroup.com/?l=bk-comm ... 126541&w=2
and for x86-64 too:
http://marc.theaimsgroup.com/?l=bk-comm ... 130848&w=2

I have a new "you know you run Linux when..." line.

You know you run Linux when the latest and only major bug is crushed within two days

Red Sparrow · Post by **Red Sparrow** » Mon Jun 14, 2004 6:42 pm

Doesn't compile on PPC either.

(- Steve -)

allucid · Post by **allucid** » Mon Jun 14, 2004 7:32 pm

it only applies to the x86 architecture.