CVE-2009-4410: Linux kernel FUSE Invalid Pointer Access
This vulnerability was originally reported to the Red Hat’s bug tracking system by David Shaw on 21 December 2009. This issue affects Linux kernel releases 2.6.29-rc1 through 2.6.30 and the vulnerable code is located at fs/fuse/file.c like this:
static int fuse_ioctl_copy_user(struct page **pages, struct iovec *iov,
unsigned int nr_segs, size_t bytes, bool to_user)
{
struct iov_iter ii;
int page_idx = 0;
if (!bytes)
return 0;
iov_iter_init(&ii, iov, nr_segs, bytes, 0);
while (iov_iter_count(&ii)) {
struct page *page = pages[page_idx++];
size_t todo = min_t(size_t, PAGE_SIZE, iov_iter_count(&ii));
void *kaddr, *map;
kaddr = map = kmap(page);
while (todo) {
...
}
kunmap(map);
}
return 0;
}
So, as you can read from the above code snippet, fuse_ioctl_copy_user() uses kmap() to retrieve the address of ‘page’ page. The latter routine can be found at arch/x86/mm/highmem_32.c (for x86 processors) and it is quite simple…
void *kmap(struct page *page)
{
might_sleep();
if (!PageHighMem(page))
return page_address(page);
return kmap_high(page);
}
Where page_address() simply returns the virtual address of the page passed to it as an argument. The equivalent code for unmapping is kunmap() which is located in the same source code file…
void kunmap(struct page *page)
{
if (in_interrupt())
BUG();
if (!PageHighMem(page))
return;
kunmap_high(page);
}
The problem with fuse_ioctl_copy_user() is that instead of unmapping the actual page, the code attempts to unmap the virtual address of the mapped space in that page’s virtual address space (the page_address() return value) which would result in an attempt to unmap an invalid pointer. The fix to this bug was to replace the kunmap() call like that:
}
- kunmap(map);
+ kunmap(page);
}
Assuming that we passed an invalid page pointer to kunmap() that it’s not in an interrupt, the following code will be executed:
/**
* kunmap_high - map a highmem page into memory
* @page: &struct page to unmap
*
* If ARCH_NEEDS_KMAP_HIGH_GET is not defined then this may be called
* only from user context.
*/
void kunmap_high(struct page *page)
{
unsigned long vaddr;
unsigned long nr;
unsigned long flags;
int need_wakeup;
lock_kmap_any(flags);
vaddr = (unsigned long)page_address(page);
BUG_ON(!vaddr);
nr = PKMAP_NR(vaddr);
/*
* A count must never go down to zero
* without a TLB flush!
*/
...
}
So, unless there is a way to make the page_address() return a non-NULL value to ‘vaddr’, the result of this bug would be a call to BUG_ON() which is of course a kernel panic. However, if a user manages to have a valid page structure in that address the subsequent operations might result in exploitable conditions even though I was not able to confirm this.
In any case, since the vulnerability is part of an IOCTL handler it can be reached really easily through fuse_file_do_ioctl() which is a well documented IOCTL handling routine.
static long fuse_file_do_ioctl(struct file *file, unsigned int cmd,
unsigned long arg, unsigned int flags)
{
struct inode *inode = file->f_dentry->d_inode;
struct fuse_file *ff = file->private_data;
struct fuse_conn *fc = get_fuse_conn(inode);
struct fuse_ioctl_in inarg = {
.fh = ff->fh,
.cmd = cmd,
.arg = arg,
.flags = flags
};
...
/* okay, let's send it to the client */
req->in.h.opcode = FUSE_IOCTL;
req->in.h.nodeid = get_node_id(inode);
req->in.numargs = 1;
req->in.args[0].size = sizeof(inarg);
req->in.args[0].value = &inarg;
if (in_size) {
req->in.numargs++;
req->in.args[1].size = in_size;
req->in.argpages = 1;
err = fuse_ioctl_copy_user(pages, in_iov, in_iovs, in_size,
false);
if (err)
goto out;
}
...
}
PDF to JPEG Image Conversion Shell Script
Pdfimages can generate JPEG image files from a PDF file. Each page is converted to a JPEG file.
Using pdfimages, I wrote a shell script which generates JPEG image files for all PDF files in the current directory.
$ cat pdffiles2jpeg.sh
#!/bin/bash# Create an array of the PDF files in the current directory.
files=(`ls -1 *.pdf`)# Iterate for each PDF file in the array
for file in ${files[@]}
do
image_root=`echo $file |sed -e “s/\.pdf//”`
/usr/bin/pdfimages -j $file $image_root
doneexit 0
Linux Networking Cookbook
Linux Networking Cookbook
Công nghệ clustering trên Linux
DHCP trên Linux
sharing folder linux – windows with samba
jumpa lagi di tahun 2010, yups tahun baru semangat baru, oke tutorial perdana di tahun 2010 ini adalah tentang bagaimana caranya kita share folder antara OS yang berbeda (Linux – Windows). Di sini saya menggunakan OS Windows XP dan Ubuntu 9.04. Nah untuk men-sharing folder antar 2 OS yang berbeda ini kita menggunakan SAMBA server. Tentu saja samba server ini di install di ubuntu. caranya ???
pastikan komputer/notebook/netbook anda terkoneksi dengan internet… Next buka terminal ketikan perintah berikut :
sudo apt-get install samba
…. …. setelah selesai di install maka langkah selanjutnya adalah mengkonfigurasi file smb.conf. caranya ?? buka terminal ketikan perintah berikut :
sudo gedit /etc/samba/smb.conf
atau terserah anda ma pake sudo nano atau vi atau apalah, yang penting masuk kedalam file smb.conf . oke setelah itu lihat pada [Global] section cari dan edit :
workgroup = EXAMPLE
…
security = user
! saran saya biarkan saja default seperti itu, atau yah kalo mau di ganti ganti saja…
Netx, nah yang paling penting yang ini anda tambahkan section [Share] ketikan saja or copy {taruh di bagian paling bawah } :
[share]
comment = Ubuntu File Server Share
path = /srv/samba/share
browsable = yes
guest ok = yes
read only = no
create mask = 0755
oke setelah itu simpan …. lalu setelah samba terkonfigurasi buat izin folder yang akan di share ketikan perintah berikut :
sudo mkdir -p /srv/samba/share
sudo chown nobody.nogroup /srv/samba/share/
langkah selanjutnya restart samba :
sudo /etc/init.d/samba restart
selesai …
bila tidak ada pesan error kita tes caranya apabila kita ingin mengambil folder dari windows dengan linux ketikan perintah berikut di nautilus :
smb://ipwindows {misal smb://192.168.1.1}
nah kalau dari windows ingin mengambil folder di linux ketikan perintah berikut di explorer pada address bar:
\\iplinux {misal :\\192.168.1.2
screenshoot:
linux bashing
i’m a linuxuser for years now and after migrating from debian to gentoo made the linux experience much better since many ABI incompatibilities were solvable by a simple reinstallation of the program having problems resolving symbols are a library update.
right now i face several problems which i can’t ignore:
- after a reboot the two mouse devices on my laptop stop working and on the next reboot they do work. i don’t know why yet?! my current fix is to rely on an external mouse ;P
- i hit the ‘xfs/ext3 journal’ bug with two massive kde file losses which meant a lot of reconfiguration
- i lost all ‘notes’ which were saved in the plasma widget called ‘notes’ and all kmail settings as well as all kaddressbook settings (yes i have a backup but this all costs a lot of time to figure out what exactly is gone). also all bookmarks in konqueror as well as other things i don’t remember are ‘gone’.
- i use thunderbird right now but the selfsigned ssl certificate error pops up every time i start the application. if i don’t hit the ‘ok’ button in say 2minutes the connection timeout forces me to restart the application or i won’t be able to read the mails at all. why isn’t there a simple button to ‘permanently’ trust the selfsigned certificate as there is in kmail?
- my system seems to be very unstable as for instance working on the ‘automate’ project (which is qt4 based) let’s me ‘lock up’ my computer nearly instantly. that means the io load goes high while i get serious OOM problems. it could be the ‘io wait bug’ but using ‘noop’ instead of ‘cfq’ does not make things better here so i doubt that
- my system crashed after a hibernate resume with a blinking cursor using nvidia.ko and now i can’t use the proprietary nvidia.ko driver anymore since it would lock my system right after reboot. currently i’m using ‘nv’ with all it’s slowness
- neither nv nor nvidia.ko seem to be able to work reliably for hibernate-ram. nv does not enable the backlight so my screen stays back after resume so at least i can reboot with pressing the power button. using the nvidia.ko module will crash it no matter which version i try
- i don’t get hdmi working and hot-switching using nvidia.ko does not work well either
- io in general seems to be very slow and many processes have a high ‘io wait’ issue. using htop one can see that both cpus have about 90% gray bars with the rest – 10% – is valid cpu load (a mixture of user/kernel space)
- booting linux using grub works fine but is very slow (probably caused by slow nvidia console rendering)
- kde4 is very slow as well (might be a consequence of the io-wait issue already mentioned) but using kde3 this issue wasn’t noticeable. the problem is that there are no kde3 ebuilds anymore.
- konqueror seems to crash all 5minutes (i use it to access samba shares using smb:// as well as sftp shares)
- krunner other kde components seem to crash frequently as well (seems to be a random pattern)
- i switched from k
- amarok does not work reliably from time to time then i can’t listen to music from magnatune and other webradios but local music works
- smb4k is totally broken here
- kdevelop4 is a great software and i really love it but it is very unstable and crashes very often
- out of curiosity i’ve installed umbrello 4.3.3 and imported the automate project which instantly created a segfault
- since kde3 is ‘obsolete‘ i lose a very cool application: konqueror 3 file size view’er, see http://risto.kurppa.fi/blog/2008/10/disk-space-analyzers/ there seems to be a kde4 plugin for konqueror as well but i can’t find it
- after resume dbus often has crashed and i need to restart it
so now one would think the hardware is bad (which is what i would be thinking as well) but i’ve played some shooter demos and ’sacred 2′ using windows xp for quite a while and this runs rock solid. the only issue windows shares is that after ’standby’ the screen remains black (back-lit off) as well.
to sum up: i’m not sure what to do now but this situation is absolutely depressing since linux can’t be used AT ALL with that many problems. lately i consider installing win7. the ‘macbook pro’ of my wife is doing a great job and it runs stable although the fan makes some serious noise signaling it is damaged. i hate kde4 and the concept of their release policies. i consider kde4 not usable in a productive system and since kde3 has been removed there is no working alternative worth using (maybe xfce4).
i’m not sure what to do now? is the problem ‘open source’? why does nobody care for quality? am i using the wrong distribution again?
happy new year ;P
Theming Midnight Commander
It’s rare that I want or need to change the color scheme in something as ubiquitous as Midnight Commander, but there are a few times when the blue-cyan-white theme seems a bit … worn.
There are a few sample themes on a blog here, along with a script that will neatly insert them into your .mc/ini file for you, to expedite the colorization process. It would be quite handy if you’re one of those total-desktop-themers, and want to match mc to the rest of your desktop.
My favorite of the ones posted there has to be, I think, the puthre set.
But that might just be because of the green; it’s rare that I see green used at the terminal in a tasteful way. There are plenty of blues and yellows, but not so much in green. … Hmm. …
SuperOS: Like Ubuntu But Easier
SuperOS: Like Ubuntu But Easier.
Looks interesting. Gonna have to download and try it as soon as I get the linux box in here where I can use it again.