* kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit
@ 2008-02-10 6:04 Niki Denev
2008-02-10 6:32 ` Willy Tarreau
0 siblings, 1 reply; 15+ messages in thread
From: Niki Denev @ 2008-02-10 6:04 UTC (permalink / raw)
To: linux-kernel
Hi,
As the subject says the 2.6.24.1 is still vulnerable to the vmsplice
local root exploit.
[opa@test tmp]$ uname -a
Linux tester 2.6.24.1 #1 Sun Feb 10 00:06:49 EST 2008 i686 unknown
[opa@test tmp]$ ./vms
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f56000 .. 0xb7f88000
[+] root
[root@test tmp]#
[root@test tmp]# id
uid=0(root) gid=0(root) groups=2033(opa)
[root@test tmp]# uname -a
Linux test 2.6.24.1 #1 Sun Feb 10 00:06:49 EST 2008 i686 unknown
Is there any known fix/patch for this?
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit
2008-02-10 6:04 kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit Niki Denev
@ 2008-02-10 6:32 ` Willy Tarreau
2008-02-10 6:38 ` Niki Denev
0 siblings, 1 reply; 15+ messages in thread
From: Willy Tarreau @ 2008-02-10 6:32 UTC (permalink / raw)
To: Niki Denev; +Cc: linux-kernel, jens.axboe
On Sun, Feb 10, 2008 at 08:04:35AM +0200, Niki Denev wrote:
> Hi,
>
> As the subject says the 2.6.24.1 is still vulnerable to the vmsplice
> local root exploit.
Yes indeed, that's quite bad. 2.6.24-git is still vulnerable too, and
also contains the fix :-(
CC'd Jens as he worked on the fix.
Willy
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit
2008-02-10 6:32 ` Willy Tarreau
@ 2008-02-10 6:38 ` Niki Denev
2008-02-10 9:40 ` [PATCH] " Niki Denev
0 siblings, 1 reply; 15+ messages in thread
From: Niki Denev @ 2008-02-10 6:38 UTC (permalink / raw)
To: Willy Tarreau; +Cc: linux-kernel, jens.axboe
On Feb 10, 2008 8:32 AM, Willy Tarreau <w@1wt.eu> wrote:
> On Sun, Feb 10, 2008 at 08:04:35AM +0200, Niki Denev wrote:
> > Hi,
> >
> > As the subject says the 2.6.24.1 is still vulnerable to the vmsplice
> > local root exploit.
>
> Yes indeed, that's quite bad. 2.6.24-git is still vulnerable too, and
> also contains the fix :-(
>
> CC'd Jens as he worked on the fix.
>
> Willy
>
>
I was unable to gain root on 2.6.24-git20
but after several segfaults when executing the exploit continously
the machine crashes.
--Niki
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit
2008-02-10 6:38 ` Niki Denev
@ 2008-02-10 9:40 ` Niki Denev
2008-02-10 12:04 ` Oliver Pinter
2008-02-10 12:22 ` Bastian Blank
0 siblings, 2 replies; 15+ messages in thread
From: Niki Denev @ 2008-02-10 9:40 UTC (permalink / raw)
To: Willy Tarreau; +Cc: linux-kernel, jens.axboe
On Feb 10, 2008 1:38 AM, Niki Denev <ndenev@gmail.com> wrote:
>
> On Feb 10, 2008 8:32 AM, Willy Tarreau <w@1wt.eu> wrote:
> > On Sun, Feb 10, 2008 at 08:04:35AM +0200, Niki Denev wrote:
> > > Hi,
> > >
> > > As the subject says the 2.6.24.1 is still vulnerable to the vmsplice
> > > local root exploit.
> >
> > Yes indeed, that's quite bad. 2.6.24-git is still vulnerable too, and
> > also contains the fix :-(
> >
> > CC'd Jens as he worked on the fix.
> >
> > Willy
> >
> >
>
> I was unable to gain root on 2.6.24-git20
> but after several segfaults when executing the exploit continously
> the machine crashes.
>
> --Niki
>
this fixed the problem for me (kernel 2.6.24.1) :
It appears that the initial patch checked the input to vmsplice_to_user,
but the exploit used vmsplice_to_pipe which remained open to the attack.
--- fs/splice.c.orig 2008-02-08 21:55:30.000000000 +0200
+++ fs/splice.c 2008-02-10 11:32:50.000000000 +0200
@@ -1443,6 +1443,10 @@
struct pipe_inode_info *pipe;
struct page *pages[PIPE_BUFFERS];
struct partial_page partial[PIPE_BUFFERS];
+ int error;
+ long ret;
+ void __user *base;
+ size_t len;
struct splice_pipe_desc spd = {
.pages = pages,
.partial = partial,
@@ -1450,6 +1454,31 @@
.ops = &user_page_pipe_buf_ops,
};
+ error = ret = 0;
+
+ /*
+ * Get user address base and length for this iovec.
+ */
+ error = get_user(base, &iov->iov_base);
+ if (unlikely(error))
+ return error;
+ error = get_user(len, &iov->iov_len);
+ if (unlikely(error))
+ return error;
+
+ /*
+ * Sanity check this iovec. 0 read succeeds.
+ */
+ if (unlikely(!len))
+ return 0;
+ if (unlikely(!base)) {
+ return -EFAULT;
+ }
+
+ if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
+ return -EFAULT;
+ }
+
pipe = pipe_info(file->f_path.dentry->d_inode);
if (!pipe)
return -EBADF;
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit
2008-02-10 9:40 ` [PATCH] " Niki Denev
@ 2008-02-10 12:04 ` Oliver Pinter
2008-02-10 12:22 ` Bastian Blank
1 sibling, 0 replies; 15+ messages in thread
From: Oliver Pinter @ 2008-02-10 12:04 UTC (permalink / raw)
To: Niki Denev
Cc: Willy Tarreau, linux-kernel, jens.axboe, Andrew Morton, Greg KH,
Greg KH, Linus Torvalds, stable
hmmm, with 2.6.22.y serie is too affected
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Feb 9 15:34:35 2008
oliver@home:~$ ./2617_26241_root_exploit
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f79000 .. 0xb7fab000
[+] root
root@home:~# uname -a
Linux home 2.6.22.17 #3 SMP PREEMPT Mon Feb 4 17:38:33 CET 2008 i686 GNU/Linux
root@home:~#
--
Thanks,
Oliver
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit
2008-02-10 9:40 ` [PATCH] " Niki Denev
2008-02-10 12:04 ` Oliver Pinter
@ 2008-02-10 12:22 ` Bastian Blank
2008-02-10 12:39 ` Niki Denev
2008-02-10 13:48 ` Niki Denev
1 sibling, 2 replies; 15+ messages in thread
From: Bastian Blank @ 2008-02-10 12:22 UTC (permalink / raw)
To: Niki Denev, Willy Tarreau; +Cc: linux-kernel, jens.axboe
On Sun, Feb 10, 2008 at 04:40:53AM -0500, Niki Denev wrote:
> this fixed the problem for me (kernel 2.6.24.1) :
> It appears that the initial patch checked the input to vmsplice_to_user,
> but the exploit used vmsplice_to_pipe which remained open to the attack.
This patch is broken. It opens the old hole again.
> @@ -1450,6 +1454,31 @@
> .ops = &user_page_pipe_buf_ops,
> };
>
> + error = ret = 0;
> +
> + /*
> + * Get user address base and length for this iovec.
> + */
> + error = get_user(base, &iov->iov_base);
> + if (unlikely(error))
> + return error;
> + error = get_user(len, &iov->iov_len);
> + if (unlikely(error))
> + return error;
iov is unchecked.
> + if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
> + return -EFAULT;
> + }
Use VERIFY_READ and this only checks the first entry.
I checked the following patch and it at least fixes the known exploit.
diff --git a/fs/splice.c b/fs/splice.c
index 14e2262..80beb2b 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1237,6 +1237,11 @@ static int get_iovec_page_array(const struct iovec __user *iov,
if (unlikely(!base))
break;
+ if (!access_ok(VERIFY_READ, base, len)) {
+ error = -EFAULT;
+ break;
+ }
+
/*
* Get this base offset and number of pages, then map
* in the user pages.
--
Even historians fail to learn from history -- they repeat the same mistakes.
-- John Gill, "Patterns of Force", stardate 2534.7
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit
2008-02-10 12:22 ` Bastian Blank
@ 2008-02-10 12:39 ` Niki Denev
2008-02-10 12:47 ` Bastian Blank
2008-02-10 13:48 ` Niki Denev
1 sibling, 1 reply; 15+ messages in thread
From: Niki Denev @ 2008-02-10 12:39 UTC (permalink / raw)
To: Bastian Blank, Willy Tarreau, linux-kernel, jens.axboe
On Feb 10, 2008 12:22 PM, Bastian Blank <bastian@waldi.eu.org> wrote:
> On Sun, Feb 10, 2008 at 04:40:53AM -0500, Niki Denev wrote:
> > this fixed the problem for me (kernel 2.6.24.1) :
> > It appears that the initial patch checked the input to vmsplice_to_user,
> > but the exploit used vmsplice_to_pipe which remained open to the attack.
>
> This patch is broken. It opens the old hole again.
>
> > @@ -1450,6 +1454,31 @@
> > .ops = &user_page_pipe_buf_ops,
> > };
> >
> > + error = ret = 0;
> > +
> > + /*
> > + * Get user address base and length for this iovec.
> > + */
> > + error = get_user(base, &iov->iov_base);
> > + if (unlikely(error))
> > + return error;
> > + error = get_user(len, &iov->iov_len);
> > + if (unlikely(error))
> > + return error;
>
> iov is unchecked.
>
> > + if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
> > + return -EFAULT;
> > + }
>
> Use VERIFY_READ and this only checks the first entry.
>
> I checked the following patch and it at least fixes the known exploit.
>
> diff --git a/fs/splice.c b/fs/splice.c
> index 14e2262..80beb2b 100644
> --- a/fs/splice.c
> +++ b/fs/splice.c
> @@ -1237,6 +1237,11 @@ static int get_iovec_page_array(const struct iovec __user *iov,
> if (unlikely(!base))
> break;
>
> + if (!access_ok(VERIFY_READ, base, len)) {
> + error = -EFAULT;
> + break;
> + }
> +
> /*
> * Get this base offset and number of pages, then map
> * in the user pages.
> --
> Even historians fail to learn from history -- they repeat the same mistakes.
> -- John Gill, "Patterns of Force", stardate 2534.7
>
This patch is against 2.6.24.1 which has already the fix to vmsplice_to_user
With it i can't exploit the hole, and it is returns "invalid address"
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit
2008-02-10 12:39 ` Niki Denev
@ 2008-02-10 12:47 ` Bastian Blank
2008-02-10 12:54 ` Niki Denev
2008-02-10 13:02 ` Oliver Pinter
0 siblings, 2 replies; 15+ messages in thread
From: Bastian Blank @ 2008-02-10 12:47 UTC (permalink / raw)
To: Niki Denev; +Cc: Willy Tarreau, linux-kernel, jens.axboe
On Sun, Feb 10, 2008 at 12:39:05PM +0000, Niki Denev wrote:
> This patch is against 2.6.24.1 which has already the fix to vmsplice_to_user
> With it i can't exploit the hole, and it is returns "invalid address"
This is the vmsplice_to_pipe path and I have many reports that it is not
fixed.
Bastian
--
If there are self-made purgatories, then we all have to live in them.
-- Spock, "This Side of Paradise", stardate 3417.7
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit
2008-02-10 12:47 ` Bastian Blank
@ 2008-02-10 12:54 ` Niki Denev
2008-02-10 13:02 ` Oliver Pinter
1 sibling, 0 replies; 15+ messages in thread
From: Niki Denev @ 2008-02-10 12:54 UTC (permalink / raw)
To: Bastian Blank, linux-kernel
On Feb 10, 2008 12:47 PM, Bastian Blank <bastian@waldi.eu.org> wrote:
> On Sun, Feb 10, 2008 at 12:39:05PM +0000, Niki Denev wrote:
> > This patch is against 2.6.24.1 which has already the fix to vmsplice_to_user
> > With it i can't exploit the hole, and it is returns "invalid address"
>
> This is the vmsplice_to_pipe path and I have many reports that it is not
> fixed.
>
> Bastian
Exactly, my patch is for the the vmsplice_to_pipe path.
I don't guarantee correctness, but it stops the exploit in my environment.
Niki
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit
2008-02-10 12:47 ` Bastian Blank
2008-02-10 12:54 ` Niki Denev
@ 2008-02-10 13:02 ` Oliver Pinter
2008-02-10 17:05 ` [stable] " Greg KH
1 sibling, 1 reply; 15+ messages in thread
From: Oliver Pinter @ 2008-02-10 13:02 UTC (permalink / raw)
To: Bastian Blank, Niki Denev, Willy Tarreau, linux-kernel, jens.axboe; +Cc: stable
thx it fixed for 2.6.22
>>>>>>>
commit f6e993b835393543bab2d917f9dea75218473edd
Author: Oliver Pinter <oliver.pntr@gmail.com>
Date: Sun Feb 10 14:03:46 2008 +0100
[PATCH] vm: splice local root exploit fix for 2.6.22.y
Based on Bastian Blank's patch
Fix for CVE_2008_0009 and CVE_2008-0010
----->8-----
oliver@pancs:/tmp$ ./2617_26241_root_exploit
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f1a000 .. 0xb7f4c000
[-] vmsplice: Bad address
-----8<-----
Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com>
diff --git a/fs/splice.c b/fs/splice.c
index e263d3b..d8b106e 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1182,6 +1182,12 @@ static int get_iovec_page_array(const struct
iovec __user *iov,
if (unlikely(!base))
break;
+ /* CVE-2008-0009, CVE-2008-0010 fix */
+ if(!access_ok(VERIFY_READ, base, len)) {
+ error = -EFAULT;
+ break;
+ }
+
/*
* Get this base offset and number of pages, then map
* in the user pages.
<<<<<<<
On 2/10/08, Bastian Blank <bastian@waldi.eu.org> wrote:
> On Sun, Feb 10, 2008 at 12:39:05PM +0000, Niki Denev wrote:
> > This patch is against 2.6.24.1 which has already the fix to
> vmsplice_to_user
> > With it i can't exploit the hole, and it is returns "invalid address"
>
> This is the vmsplice_to_pipe path and I have many reports that it is not
> fixed.
>
> Bastian
>
> --
> If there are self-made purgatories, then we all have to live in them.
> -- Spock, "This Side of Paradise", stardate 3417.7
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
oliver@pancs:/tmp$ ./2617_26241_root_exploit
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f1a000 .. 0xb7f4c000
[-] vmsplice: Bad addres
--
Thanks,
Oliver
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit
2008-02-10 12:22 ` Bastian Blank
2008-02-10 12:39 ` Niki Denev
@ 2008-02-10 13:48 ` Niki Denev
1 sibling, 0 replies; 15+ messages in thread
From: Niki Denev @ 2008-02-10 13:48 UTC (permalink / raw)
To: Bastian Blank, linux-kernel
On Feb 10, 2008 12:22 PM, Bastian Blank <bastian@waldi.eu.org> wrote:
> On Sun, Feb 10, 2008 at 04:40:53AM -0500, Niki Denev wrote:
> > this fixed the problem for me (kernel 2.6.24.1) :
> > It appears that the initial patch checked the input to vmsplice_to_user,
> > but the exploit used vmsplice_to_pipe which remained open to the attack.
>
> This patch is broken. It opens the old hole again.
>
> > @@ -1450,6 +1454,31 @@
> > .ops = &user_page_pipe_buf_ops,
> > };
> >
> > + error = ret = 0;
> > +
> > + /*
> > + * Get user address base and length for this iovec.
> > + */
> > + error = get_user(base, &iov->iov_base);
> > + if (unlikely(error))
> > + return error;
> > + error = get_user(len, &iov->iov_len);
> > + if (unlikely(error))
> > + return error;
>
> iov is unchecked.
>
> > + if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
> > + return -EFAULT;
> > + }
>
> Use VERIFY_READ and this only checks the first entry.
>
> I checked the following patch and it at least fixes the known exploit.
>
> diff --git a/fs/splice.c b/fs/splice.c
> index 14e2262..80beb2b 100644
> --- a/fs/splice.c
> +++ b/fs/splice.c
> @@ -1237,6 +1237,11 @@ static int get_iovec_page_array(const struct iovec __user *iov,
> if (unlikely(!base))
> break;
>
> + if (!access_ok(VERIFY_READ, base, len)) {
> + error = -EFAULT;
> + break;
> + }
> +
> /*
> * Get this base offset and number of pages, then map
> * in the user pages.
> --
> Even historians fail to learn from history -- they repeat the same mistakes.
> -- John Gill, "Patterns of Force", stardate 2534.7
>
As far as i can see, at least on x86 and x86_64 the first argument to
access_ok : (VERIFY_READ|VERIFY_WRITE) is ignored.
Also even if it is used on different arch, using WRITE instead of READ
should be safe because WRITE is a superset of READ.
You are right that it only catches the first entry.
--Niki
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit
2008-02-10 13:02 ` Oliver Pinter
@ 2008-02-10 17:05 ` Greg KH
2008-02-10 17:11 ` Pekka Enberg
` (2 more replies)
0 siblings, 3 replies; 15+ messages in thread
From: Greg KH @ 2008-02-10 17:05 UTC (permalink / raw)
To: Oliver Pinter
Cc: Bastian Blank, Niki Denev, Willy Tarreau, linux-kernel,
jens.axboe, stable
On Sun, Feb 10, 2008 at 02:02:27PM +0100, Oliver Pinter wrote:
> thx it fixed for 2.6.22
>
> >>>>>>>
>
> commit f6e993b835393543bab2d917f9dea75218473edd
> Author: Oliver Pinter <oliver.pntr@gmail.com>
> Date: Sun Feb 10 14:03:46 2008 +0100
>
> [PATCH] vm: splice local root exploit fix for 2.6.22.y
>
> Based on Bastian Blank's patch
>
> Fix for CVE_2008_0009 and CVE_2008-0010
>
> ----->8-----
>
> oliver@pancs:/tmp$ ./2617_26241_root_exploit
> -----------------------------------
> Linux vmsplice Local Root Exploit
> By qaaz
> -----------------------------------
> [+] mmap: 0x0 .. 0x1000
> [+] page: 0x0
> [+] page: 0x20
> [+] mmap: 0x4000 .. 0x5000
> [+] page: 0x4000
> [+] page: 0x4020
> [+] mmap: 0x1000 .. 0x2000
> [+] page: 0x1000
> [+] mmap: 0xb7f1a000 .. 0xb7f4c000
> [-] vmsplice: Bad address
>
> -----8<-----
>
> Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com>
>
> diff --git a/fs/splice.c b/fs/splice.c
> index e263d3b..d8b106e 100644
> --- a/fs/splice.c
> +++ b/fs/splice.c
> @@ -1182,6 +1182,12 @@ static int get_iovec_page_array(const struct
> iovec __user *iov,
> if (unlikely(!base))
> break;
>
> + /* CVE-2008-0009, CVE-2008-0010 fix */
No, this is a different CVE, as it is a different problem from the
original 09 and 10 report.
It has been given CVE-2008-0600 to address this issue (09 and 10 only
affect .23 and .24 kernels, and have been fixed.)
> + if(!access_ok(VERIFY_READ, base, len)) {
> + error = -EFAULT;
> + break;
> + }
Hm, perhaps we should just properly check the len field instead? That's
what is being overflowed here...
thanks,
greg k-h
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit
2008-02-10 17:05 ` [stable] " Greg KH
@ 2008-02-10 17:11 ` Pekka Enberg
2008-02-10 17:44 ` Oliver Pinter
2008-02-10 17:48 ` Oliver Pinter
2 siblings, 0 replies; 15+ messages in thread
From: Pekka Enberg @ 2008-02-10 17:11 UTC (permalink / raw)
To: Greg KH
Cc: Oliver Pinter, Bastian Blank, Niki Denev, Willy Tarreau,
linux-kernel, jens.axboe, stable
On Feb 10, 2008 7:05 PM, Greg KH <greg@kroah.com> wrote:
> No, this is a different CVE, as it is a different problem from the
> original 09 and 10 report.
>
> It has been given CVE-2008-0600 to address this issue (09 and 10 only
> affect .23 and .24 kernels, and have been fixed.)
>
> > + if(!access_ok(VERIFY_READ, base, len)) {
> > + error = -EFAULT;
> > + break;
> > + }
>
> Hm, perhaps we should just properly check the len field instead? That's
> what is being overflowed here...
Sorry, I forgot to cc you on this one:
http://lkml.org/lkml/2008/2/10/153
I don't see where the current code is checking that base is
accessible. We just check that we can copy the struct iovecs, right?
Pekka
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit
2008-02-10 17:05 ` [stable] " Greg KH
2008-02-10 17:11 ` Pekka Enberg
@ 2008-02-10 17:44 ` Oliver Pinter
2008-02-10 17:48 ` Oliver Pinter
2 siblings, 0 replies; 15+ messages in thread
From: Oliver Pinter @ 2008-02-10 17:44 UTC (permalink / raw)
To: Greg KH
Cc: Bastian Blank, Niki Denev, Willy Tarreau, linux-kernel,
jens.axboe, stable
simple len and base check is already in kernel:
2.6.22.17 @ 1176,2-16 - fs/splice.c
/*
* Sanity check this iovec. 0 read succeeds.
*/
if (unlikely(!len))
break;
error = -EFAULT;
if (unlikely(!base))
break;
On 2/10/08, Greg KH <greg@kroah.com> wrote:
> On Sun, Feb 10, 2008 at 02:02:27PM +0100, Oliver Pinter wrote:
> > thx it fixed for 2.6.22
> >
> > >>>>>>>
> >
> > commit f6e993b835393543bab2d917f9dea75218473edd
> > Author: Oliver Pinter <oliver.pntr@gmail.com>
> > Date: Sun Feb 10 14:03:46 2008 +0100
> >
> > [PATCH] vm: splice local root exploit fix for 2.6.22.y
> >
> > Based on Bastian Blank's patch
> >
> > Fix for CVE_2008_0009 and CVE_2008-0010
> >
> > ----->8-----
> >
> > oliver@pancs:/tmp$ ./2617_26241_root_exploit
> > -----------------------------------
> > Linux vmsplice Local Root Exploit
> > By qaaz
> > -----------------------------------
> > [+] mmap: 0x0 .. 0x1000
> > [+] page: 0x0
> > [+] page: 0x20
> > [+] mmap: 0x4000 .. 0x5000
> > [+] page: 0x4000
> > [+] page: 0x4020
> > [+] mmap: 0x1000 .. 0x2000
> > [+] page: 0x1000
> > [+] mmap: 0xb7f1a000 .. 0xb7f4c000
> > [-] vmsplice: Bad address
> >
> > -----8<-----
> >
> > Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com>
> >
> > diff --git a/fs/splice.c b/fs/splice.c
> > index e263d3b..d8b106e 100644
> > --- a/fs/splice.c
> > +++ b/fs/splice.c
> > @@ -1182,6 +1182,12 @@ static int get_iovec_page_array(const struct
> > iovec __user *iov,
> > if (unlikely(!base))
> > break;
> >
> > + /* CVE-2008-0009, CVE-2008-0010 fix */
>
> No, this is a different CVE, as it is a different problem from the
> original 09 and 10 report.
>
> It has been given CVE-2008-0600 to address this issue (09 and 10 only
> affect .23 and .24 kernels, and have been fixed.)
>
> > + if(!access_ok(VERIFY_READ, base, len)) {
> > + error = -EFAULT;
> > + break;
> > + }
>
> Hm, perhaps we should just properly check the len field instead? That's
> what is being overflowed here...
>
> thanks,
>
> greg k-h
>
--
Thanks,
Oliver
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit
2008-02-10 17:05 ` [stable] " Greg KH
2008-02-10 17:11 ` Pekka Enberg
2008-02-10 17:44 ` Oliver Pinter
@ 2008-02-10 17:48 ` Oliver Pinter
2 siblings, 0 replies; 15+ messages in thread
From: Oliver Pinter @ 2008-02-10 17:48 UTC (permalink / raw)
To: Greg KH
Cc: Bastian Blank, Niki Denev, Willy Tarreau, linux-kernel,
jens.axboe, stable
thanks the info
On 2/10/08, Greg KH <greg@kroah.com> wrote:
> On Sun, Feb 10, 2008 at 02:02:27PM +0100, Oliver Pinter wrote:
> > thx it fixed for 2.6.22
> >
> > >>>>>>>
> >
> > commit f6e993b835393543bab2d917f9dea75218473edd
> > Author: Oliver Pinter <oliver.pntr@gmail.com>
> > Date: Sun Feb 10 14:03:46 2008 +0100
> >
> > [PATCH] vm: splice local root exploit fix for 2.6.22.y
> >
> > Based on Bastian Blank's patch
> >
> > Fix for CVE_2008_0009 and CVE_2008-0010
> >
> > ----->8-----
> >
> > oliver@pancs:/tmp$ ./2617_26241_root_exploit
> > -----------------------------------
> > Linux vmsplice Local Root Exploit
> > By qaaz
> > -----------------------------------
> > [+] mmap: 0x0 .. 0x1000
> > [+] page: 0x0
> > [+] page: 0x20
> > [+] mmap: 0x4000 .. 0x5000
> > [+] page: 0x4000
> > [+] page: 0x4020
> > [+] mmap: 0x1000 .. 0x2000
> > [+] page: 0x1000
> > [+] mmap: 0xb7f1a000 .. 0xb7f4c000
> > [-] vmsplice: Bad address
> >
> > -----8<-----
> >
> > Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com>
> >
> > diff --git a/fs/splice.c b/fs/splice.c
> > index e263d3b..d8b106e 100644
> > --- a/fs/splice.c
> > +++ b/fs/splice.c
> > @@ -1182,6 +1182,12 @@ static int get_iovec_page_array(const struct
> > iovec __user *iov,
> > if (unlikely(!base))
> > break;
> >
> > + /* CVE-2008-0009, CVE-2008-0010 fix */
>
> No, this is a different CVE, as it is a different problem from the
> original 09 and 10 report.
>
> It has been given CVE-2008-0600 to address this issue (09 and 10 only
> affect .23 and .24 kernels, and have been fixed.)
>
> > + if(!access_ok(VERIFY_READ, base, len)) {
> > + error = -EFAULT;
> > + break;
> > + }
>
> Hm, perhaps we should just properly check the len field instead? That's
> what is being overflowed here...
>
> thanks,
>
> greg k-h
>
--
Thanks,
Oliver
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2008-02-10 17:48 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-02-10 6:04 kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit Niki Denev
2008-02-10 6:32 ` Willy Tarreau
2008-02-10 6:38 ` Niki Denev
2008-02-10 9:40 ` [PATCH] " Niki Denev
2008-02-10 12:04 ` Oliver Pinter
2008-02-10 12:22 ` Bastian Blank
2008-02-10 12:39 ` Niki Denev
2008-02-10 12:47 ` Bastian Blank
2008-02-10 12:54 ` Niki Denev
2008-02-10 13:02 ` Oliver Pinter
2008-02-10 17:05 ` [stable] " Greg KH
2008-02-10 17:11 ` Pekka Enberg
2008-02-10 17:44 ` Oliver Pinter
2008-02-10 17:48 ` Oliver Pinter
2008-02-10 13:48 ` Niki Denev
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).