[opensuse-security] Linux NULL pointer dereference
I've just seen some reports about a new kernel bug (Linux NULL pointer dereference due to incorrect proto_ops initializations http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html ). Obviously the SuSE security guys will be looking at this, but I was looking to see if there was anything I could do to protect my systems before a new kernel comes out. The only exploit I have seen does not work on SuSE 11.1 because /usr/bin/pulseaudio is not setuid, so that is good news. There are suggestions that running sysctl -w vm.mmap_min_addr=65536 gives protection, but there also suggestions that this protection is flawed. Also I think it breaks 16-bit applications under wine but I can live with that. Does anyone have any comments? Bob Vickers -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Fri, Aug 14, 2009 at 02:43:12PM +0100, Bob Vickers wrote:
I've just seen some reports about a new kernel bug (Linux NULL pointer dereference due to incorrect proto_ops initializations http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html ).
Obviously the SuSE security guys will be looking at this, but I was looking to see if there was anything I could do to protect my systems before a new kernel comes out.
The only exploit I have seen does not work on SuSE 11.1 because /usr/bin/pulseaudio is not setuid, so that is good news.
Unfortunately the exploits works, since we still have vm.mmap_min_addr = 0.
There are suggestions that running sysctl -w vm.mmap_min_addr=65536 gives protection, but there also suggestions that this protection is flawed. Also I think it breaks 16-bit applications under wine but I can live with that.
The currently released 11.1 kernel has bugs where this can be worked around :/
Does anyone have any comments?
The openSUSE kernels 10.3-11.1 to fix this issue will hit the -test repos later today I hope. The SLES kernels will also be checked in today and enter QA on Monday. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
There is a quick-fix mentioned in the fedora forum https://bugzilla.redhat.com/show_bug.cgi?id=516949 It may or may not work only as a fix for the exploit code floating around. It consists of disabling the know faulty modules by adding (in case of SuSe11.1) to /etc/modprobe.conf.local: install ppox /bin/true install ppoe /bin/true install bluetooth /bin/true install appletalk /bin/true install ipx /bin/true install sctp /bin/true install irda /bin/true install x25 /bin/true install bluez /bin/true install ax25 /bin/true I didn't bother checking whether the modules exist at all as disabling non-existing modules should have no adverse effects. Obviously if you need any of those modules (like ipx, sctp (== ipv6) or appletalk) this won't work for you. Also I didn't test it with the exploit code so I can't comment on the effectiveness. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
In <4A8BF953.4090209@ira.uka.de>, Holger Hellmuth wrote:
sctp (== ipv6)
SCTP is not IPv6. Last I checked, SCTP support is not required for an IPv6 standards conformance and is not required by the kernel's ipv6 module. SCTP is an OSI layer 4 protocol. It is a "TCP/IP" transport layer protocol. IPv6 is an OSI layer 3 protocol. It is a "TCP/IP" Internet layer protocol. SCTP: <http://en.wikipedia.org/wiki/Stream_Control_Transmission_Protocol> IPv6: <http://en.wikipedia.org/wiki/IPv6> -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
participants (4)
-
Bob Vickers
-
Boyd Stephen Smith Jr.
-
Holger Hellmuth
-
Marcus Meissner