http://www.cr-secure.net Found by: borg (ChrisR-)
A small bug in PaX was found.
What is PaX? -----------------------
PaX is a collection of intrusion prevention patches for the Linux Kernel 2.2, 2.4, and 2.6.
This advisory only affects the PaX patches for the 2.6 linux kernel.
PaX is located at http://pax.grsecurity.net
Impact? ------------------
Denial of service through putting the kernel into an infinite loop when ASLR is enabled.
Vulnerable PaX code? ----------------------- (sorry for white space) ==================================================== 'linux/mm/mmap.c'
if (start_addr != TASK_UNMAPPED_BASE) {
#ifdef CONFIG_PAX_RANDMMAP
if (current->flags & PF_PAX_RANDMMAP)
start_addr = addr = TASK_UNMAPPED_BASE + mm->delta_mmap;
else
#endif
start_addr = addr = TASK_UNMAPPED_BASE;
goto full_search;
}
return -ENOMEM;
==================================================== And the correct code,
grab the patch at http://pax.grsecurity.net/pax-linux-2.6.5-200405011700.patch
=====================================================
Exploit Code? -----------------------
Im not releasing my exploit code for this just yet. Pherhaps I never will. But its very simple code, simple enough to do in 2 lines. Your not getting anymore proof of concept code from me on any advisories.
Fix? -----------------------
PaX team is aware of the problem and has already released a fix for this on the PaX homepage.
Thanks and greets: Mattjf, TLharris, Shrike, think, and efnet #cryptography
http://www.cr-secure.net [EMAIL PROTECTED]
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
