● Linux 2.0.36: The stuff that was 'fixed quie - 荔园在线 | 深圳大学学生论坛,荔园晨风BBS,深大在线网站

荔园之美，在春之萌芽，在夏之绽放，在秋之收获，在冬之沉淀

发信人: Lg (创造人生的传奇), 信区: Linux
标  题: Linux 2.0.36: The stuff that was 'fixed quietly' [Summary]
发信站: BBS 荔园晨风站 (Sat Dec 12 14:05:55 1998), 站内信件 (WWW POST)

From alan@LXORGUK.UKUU.ORG.UK Sat Dec 12 13:05:57 1998
       Date: Thu, 10 Dec 1998 22:50:00 GMT
       From: Alan Cox
       Reply-To: Bugtraq List
       To: BUGTRAQ@NETSPACE.ORG
       Subject: Linux 2.0.36: The stuff that was 'fixed quietly' [Summary
]

       Linux 2.0.36 fixed various security holes as does any stable OS up
date. Some
       of these may have equivalents in other systems, so this documents
the
       relevant ones now that every vendor should have their kernel updat
es long
       out.

       Overall:

       o       If you have untrusted local users using 2.0.x x<36 there a
re denial
               of service attacks possible. If you actively use securelev
el and
               append only files there is a possibility to write data ove
r files
               a user has only append access too.

       o       If you run masquerading there is a possible crash mended.
I failed
               to succeed in causing it but its fixed nevertheless and it
s
               potentially exploitable.

       The things of relevance we fixed

       o       mmap on append only files has to be restricted to read map
s. Linux
               2.0.35 did this but it was possible to use mprotect() to t
hen change
               the mapping to Read/write. 2.0.36 closes this hole.

       o       readv/writev could crash. Linux uses "NULL" to indicate no
method
               is available for unix read/write operations. The readv/wri
tev
               calls neglected to check this. So a writev() to a device t
hat has
               no write method crashes the program and may make a mess.

       o       A fencepost error in the syscall return path. x86 syscall
returns
               are fun because many things can fault in supervisor space
if the
               user process did something stupid, or another thread does
things
               like play with the local descriptor table between the call
and
               return. The Linux kernel catches such faults and tidies up
. There
               was a small range of code that it mistakenly considered as
not
               part of the return path.

       o       When interpreting PC partition tables there are a couple o
f places
               where you end up doing (something+1) and dividing by it. A
partition
               table with 65535 listed for cylinders caused divide by zer
o errors.

       o       An unchecked size/offset assumption in the masquerading co
de could
               in theory lead to a crash.

       I wouldnt be suprised to see the mmap and partition table ones in
other OS's
       but I doubt the readv/fencepost errors have any obvious equivalenc
e.

       ------

       Vendor upgrade notes:

       Red Hat Software:
       http://www.redhat.com/support/docs/rhl/intel/kernel-upgrade-intel.
html

       No other vendor has bothered to reply to the original vendor-sec r
equest
       for comments on this message so far.

--
※ 修改:．Lg 于 Dec 12 14:42:00 修改本文．[FROM: 192.168.0.1]
☆ 来源:．BBS 荔园晨风站 bbs.szu.edu.cn．[FROM: 210.39.0.47]

荔园在线首页友情链接：深圳大学深大招生荔园晨风BBS S-Term软件网络书店