Bug 9924 - Two vmsplice local root exploits
Two vmsplice local root exploits
Status: CLOSED CODE_FIX
Product: Memory Management
Classification: Unclassified
Component: Other
All Linux
: P1 high
Assigned To: Andrew Morton
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-09 15:00 UTC by Slava Gorbunov
Modified: 2008-02-10 15:32 UTC (History)
5 users (show)

See Also:
Kernel Version: 2.6.24
Tree: Mainline
Regression: ---


Attachments

Description Slava Gorbunov 2008-02-09 15:00:59 UTC
Latest working kernel version: 
Earliest failing kernel version: 2.6.17
Distribution: Gentoo
Hardware Environment:
Software Environment:
Problem Description:
Two root exploits have been reported:
http://milw0rm.com/exploits/5093
http://milw0rm.com/exploits/5092

Both exploits cause kernel Oops or (randomly) give root privilegies to the user.

Here is the same bug reported in gentoo bugzilla:
http://bugs.gentoo.org/show_bug.cgi?id=209460

Steps to reproduce:
Compile and run the exploit.
Comment 1 Daniel Drake 2008-02-09 16:30:03 UTC
Assuming this is about CVE-2008-0009/10, this is fixed with "[PATCH] splice: missing user pointer access verification" which is included in 2.6.24.1 and 2.6.23.15. If someone can confirm my assumption, please close this bug.
Comment 2 Theodor Milkov 2008-02-09 22:01:27 UTC
It's not properly fixed in 2.6.24.1. E.g. see http://bugs.gentoo.org/show_bug.cgi?id=209460
Comment 3 Daniel Drake 2008-02-10 03:19:49 UTC
http://bugzilla.kernel.org/show_bug.cgi?id=9924

> It's not properly fixed in 2.6.24.1. E.g. see
> http://bugs.gentoo.org/show_bug.cgi?id=209460

Indeed, I can confirm this.

2.6.24.1 fixes this exploit:
http://milw0rm.com/exploits/5093
(labelled "Diane Lane ...")

but does not fix this one, which still gives me root access on 2.6.24.1:
http://milw0rm.com/exploits/5092
("jessica_biel_naked_in_my_bed.c")

alternative link to the still-working exploit:
http://bugs.gentoo.org/attachment.cgi?id=143059&action=view

Daniel

Comment 4 Radek Pilar 2008-02-10 03:31:36 UTC
This is NOT fixed in 2.6.24.1: http://www.securityfocus.com/data/vulnerabilities/exploits/27704.c
But this probably is: http://www.securityfocus.com/data/vulnerabilities/exploits/27704-2.c (at least I can't reproduce it).

Linux Rimmer 2.6.24.1 #4 SMP PREEMPT Sat Feb 9 16:50:17 CET 2008 i686 GNU/Linux
Comment 5 Daniel Drake 2008-02-10 03:31:37 UTC
I have personally tested both exploits under a recent 2.6.22 release, 
latest 2.6.23 and latest 2.6.24. Results:

http://milw0rm.com/exploits/5093 ("diane_lane")
This was a bug added in 2.6.23, still present in 2.6.24, but fixed by 
the most recent -stable releases for both branches:
- Not exploitable in 2.6.22.10
- Not exploitable in 2.6.23.15
- Not exploitable in 2.6.24.1
so this one is done and dusted...


http://milw0rm.com/exploits/5092 ("jessica_biel")
alt link: http://bugs.gentoo.org/attachment.cgi?id=143059&action=view
This is still exploitable in the latest kernel releases and the exploit 
source suggests it has been present since 2.6.17
- Exploitable in 2.6.22.10
- Exploitable in 2.6.23.15
- Exploitable in 2.6.24.1

Comment 6 Anonymous Emailer 2008-02-10 04:08:25 UTC
Reply-To: alan@redhat.com

On Sun, Feb 10, 2008 at 11:28:51AM +0000, Daniel Drake wrote:
> I have personally tested both exploits under a recent 2.6.22 release, 
> latest 2.6.23 and latest 2.6.24. Results:

There's a fix/explanation proposed for the other one on linux-kernel

Comment 7 Daniel Drake 2008-02-10 15:32:01 UTC
fixed in Linus' tree as 712a30e63c8066ed84385b12edbfb804f49cbc44

Note You need to log in before you can comment on or make changes to this bug.