Linux Kernel验证“map_count”变量本地安全限制绕过漏洞
Linux Kernel验证“map_count”变量本地安全限制绕过漏洞
发布日期:2011-02-22
更新日期:2011-02-22
受影响系统:
Linux kernel 2.6.x
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 46492
CVE ID: CVE-2011-1010
Linux Kernel是开放源码操作系统Linux所使用的内核。
Linux Kernel验证"map_count"变量在实现上存在本地安全限制绕过漏洞,攻击者可利用此漏洞绕过安全限制执行未授权操作。
<*来源:Timo Warns (<warns@pre-sense.de>)
链接:http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=fa7ea87a057958a8b7926c1a60a3ca6d696328ed
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Timo Warns (<warns@pre-sense.de>)提供了如下测试方法:
int mac_partition(struct parsed_partitions *state)
{
- int slot = 1;
Sector sect;
unsigned char *data;
- int blk, blocks_in_map;
+ int slot, blocks_in_map;
unsigned secsize;
#ifdef CONFIG_PPC_PMAC
int found_root = 0;
@@ -59,10 +58,14 @@ int mac_partition(struct parsed_partitions *state)
put_dev_sector(sect);
return 0; /* not a MacOS disk */
}
- strlcat(state->pp_buf, " [mac]", PAGE_SIZE);
blocks_in_map = be32_to_cpu(part->map_count);
- for (blk = 1; blk <= blocks_in_map; ++blk) {
- int pos = blk * secsize;
+ if (blocks_in_map < 0 || blocks_in_map >= DISK_MAX_PARTS) {
+ put_dev_sector(sect);
+ return 0;
+ }
+ strlcat(state->pp_buf, " [mac]", PAGE_SIZE);
+ for (slot = 1; slot <= blocks_in_map; ++slot) {
+ int pos = slot * secsize;
put_dev_sector(sect);
data = read_part_sector(state, pos/512, §);
if (!data)
@@ -113,13 +116,11 @@ int mac_partition(struct parsed_partitions *state)
}
if (goodness > found_root_goodness) {
- found_root = blk;
+ found_root = slot;
found_root_goodness = goodness;
}
}
#endif /* CONFIG_PPC_PMAC */
-
- ++slot;
}
#ifdef CONFIG_PPC_PMAC
if (found_root_goodness)
建议:
--------------------------------------------------------------------------------
厂商补丁:
Linux
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.kernel.org/
评论暂时关闭