Bug 9924
Summary: | Two vmsplice local root exploits | ||
---|---|---|---|
Product: | Memory Management | Reporter: | Slava Gorbunov (slava) |
Component: | Other | Assignee: | Andrew Morton (akpm) |
Status: | CLOSED CODE_FIX | ||
Severity: | high | CC: | dsd, hrubi13, kai.kasurinen, polynomial-c, rpilar, ucelsanicin |
Priority: | P1 | ||
Hardware: | All | ||
OS: | Linux | ||
Kernel Version: | 2.6.24 | Subsystem: | |
Regression: | --- | Bisected commit-id: |
Description
Slava Gorbunov
2008-02-09 15:00:59 UTC
Assuming this is about CVE-2008-0009/10, this is fixed with "[PATCH] splice: missing user pointer access verification" which is included in 2.6.24.1 and 2.6.23.15. If someone can confirm my assumption, please close this bug. It's not properly fixed in 2.6.24.1. E.g. see http://bugs.gentoo.org/show_bug.cgi?id=209460 http://bugzilla.kernel.org/show_bug.cgi?id=9924 > It's not properly fixed in 2.6.24.1. E.g. see > http://bugs.gentoo.org/show_bug.cgi?id=209460 Indeed, I can confirm this. 2.6.24.1 fixes this exploit: http://milw0rm.com/exploits/5093 (labelled "Diane Lane ...") but does not fix this one, which still gives me root access on 2.6.24.1: http://milw0rm.com/exploits/5092 ("jessica_biel_naked_in_my_bed.c") alternative link to the still-working exploit: http://bugs.gentoo.org/attachment.cgi?id=143059&action=view Daniel This is NOT fixed in 2.6.24.1: http://www.securityfocus.com/data/vulnerabilities/exploits/27704.c But this probably is: http://www.securityfocus.com/data/vulnerabilities/exploits/27704-2.c (at least I can't reproduce it). Linux Rimmer 2.6.24.1 #4 SMP PREEMPT Sat Feb 9 16:50:17 CET 2008 i686 GNU/Linux I have personally tested both exploits under a recent 2.6.22 release, latest 2.6.23 and latest 2.6.24. Results: http://milw0rm.com/exploits/5093 ("diane_lane") This was a bug added in 2.6.23, still present in 2.6.24, but fixed by the most recent -stable releases for both branches: - Not exploitable in 2.6.22.10 - Not exploitable in 2.6.23.15 - Not exploitable in 2.6.24.1 so this one is done and dusted... http://milw0rm.com/exploits/5092 ("jessica_biel") alt link: http://bugs.gentoo.org/attachment.cgi?id=143059&action=view This is still exploitable in the latest kernel releases and the exploit source suggests it has been present since 2.6.17 - Exploitable in 2.6.22.10 - Exploitable in 2.6.23.15 - Exploitable in 2.6.24.1 Reply-To: alan@redhat.com On Sun, Feb 10, 2008 at 11:28:51AM +0000, Daniel Drake wrote: > I have personally tested both exploits under a recent 2.6.22 release, > latest 2.6.23 and latest 2.6.24. Results: There's a fix/explanation proposed for the other one on linux-kernel fixed in Linus' tree as 712a30e63c8066ed84385b12edbfb804f49cbc44 |