fixed in v220.127.116.11, also caught by StackProtector
Posted Sep 26, 2009 9:55 UTC (Sat) by mingo
In reply to: fixed in v18.104.22.168
Parent article: Kernel release status
It simply was not known as an exploitable bug. When we know something is exploitable a -stable kernel is released immediately, within hours.
(Let me know about a labeling method that actually works in practice - i'm not aware of any. Post facto labeling does not actually prevent bugs from getting mislabeled - it mostly only increases the security theatre - i.e. rewards the wrong kind of behaviour and the people who leech off of that.)
Also, note that if you had StackProtector enabled (CONFIG_CC_STACKPROTECTOR_ALL=y), the bug is not exploitable into a local root hole but gets caught and the break-in attempt gets exposed:
[ 66.928106] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff810c49d2
[ 66.939059] Pid: 2628, comm: exploit Not tainted 2.6.31 #17228
[ 66.944947] Call Trace:
[ 66.947423] [ffffffff81622ba6] panic+0x84/0x12f
[ 66.952238] [ffffffff810c49d2] ? sys_perf_counter_open+0x660/0x672
[ 66.958729] [ffffffff810500cd] __stack_chk_fail+0x27/0x57
[ 66.964419] [ffffffff810c49d2] sys_perf_counter_open+0x660/0x672
It's a good thing we revived this feature in recent kernels, it already caught real kernel bugs and also catches exploit attempts.
to post comments)