count”变量本地安全限制绕过漏洞

发布日期:2011-02-22
更新日期:2011-02-22

受影响系统:
Linux kernel 2.6.x
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 46492
CVE ID: CVE-2011-1010

Linux Kernel是开放源码操作系统Linux所使用的内核。

Linux Kernel验证"map_count"变量在实现上存在本地安全限制绕过漏洞,攻击者可利用此漏洞绕过安全限制执行未授权操作。


<*来源:Timo Warns (<warns@pre-sense.de>)
 
  链接:?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=fa7ea87a057958a8b7926c1a60a3ca6d696328ed
*>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Timo Warns (<warns@pre-sense.de>)提供了如下测试方法:

int mac_partition(struct parsed_partitions *state)
{
-       int slot = 1;
        Sector sect;
        unsigned char *data;
-       int blk, blocks_in_map;
+       int slot, blocks_in_map;
        unsigned secsize;
#ifdef CONFIG_PPC_PMAC
        int found_root = 0;
@@ -59,10 +58,14 @@ int mac_partition(struct parsed_partitions *state)
                put_dev_sector(sect);
                return 0;               /* not a MacOS disk */
        }
-       strlcat(state->pp_buf, " [mac]", PAGE_SIZE);
        blocks_in_map = be32_to_cpu(part->map_count);
-       for (blk = 1; blk <= blocks_in_map; ++blk) {
-               int pos = blk * secsize;
+       if (blocks_in_map < 0 || blocks_in_map >= DISK_MAX_PARTS) {
+               put_dev_sector(sect);
+               return 0;
+       }
+       strlcat(state->pp_buf, " [mac]", PAGE_SIZE);
+       for (slot = 1; slot <= blocks_in_map; ++slot) {
+               int pos = slot * secsize;
                put_dev_sector(sect);
                data = read_part_sector(state, pos/512, &sect);
                if (!data)
@@ -113,13 +116,11 @@ int mac_partition(struct parsed_partitions *state)
                        }

if (goodness > found_root_goodness) {
-                               found_root = blk;
+                               found_root = slot;
                                found_root_goodness = goodness;
                        }
                }
#endif /* CONFIG_PPC_PMAC */
-
-               ++slot;
        }
#ifdef CONFIG_PPC_PMAC
        if (found_root_goodness)

建议:
--------------------------------------------------------------------------------
厂商补丁:

Linux
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wwszgz.html