Bug 9924 - Two vmsplice local root exploits
Summary: Two vmsplice local root exploits
Status: CLOSED CODE_FIX
Alias: None
Product: Memory Management
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 high
Assignee: Andrew Morton
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-02-09 15:00 UTC by Slava Gorbunov
Modified: 2021-10-15 17:59 UTC (History)
6 users (show)

See Also:
Kernel Version: 2.6.24
Tree: Mainline
Regression: ---


Attachments

Description Slava Gorbunov 2008-02-09 15:00:59 UTC
Latest working kernel version: 
Earliest failing kernel version: 2.6.17
Distribution: Gentoo
Hardware Environment:
Software Environment:
Problem Description:
Two root exploits have been reported:
http://milw0rm.com/exploits/5093
http://milw0rm.com/exploits/5092

Both exploits cause kernel Oops or (randomly) give root privilegies to the user.

Here is the same bug reported in gentoo bugzilla:
http://bugs.gentoo.org/show_bug.cgi?id=209460

Steps to reproduce:
Compile and run the exploit.
Comment 1 Daniel Drake 2008-02-09 16:30:03 UTC
Assuming this is about CVE-2008-0009/10, this is fixed with "[PATCH] splice: missing user pointer access verification" which is included in 2.6.24.1 and 2.6.23.15. If someone can confirm my assumption, please close this bug.
Comment 2 Theodor Milkov 2008-02-09 22:01:27 UTC
It's not properly fixed in 2.6.24.1. E.g. see http://bugs.gentoo.org/show_bug.cgi?id=209460
Comment 3 Daniel Drake 2008-02-10 03:19:49 UTC
http://bugzilla.kernel.org/show_bug.cgi?id=9924

> It's not properly fixed in 2.6.24.1. E.g. see
> http://bugs.gentoo.org/show_bug.cgi?id=209460

Indeed, I can confirm this.

2.6.24.1 fixes this exploit:
http://milw0rm.com/exploits/5093
(labelled "Diane Lane ...")

but does not fix this one, which still gives me root access on 2.6.24.1:
http://milw0rm.com/exploits/5092
("jessica_biel_naked_in_my_bed.c")

alternative link to the still-working exploit:
http://bugs.gentoo.org/attachment.cgi?id=143059&action=view

Daniel
Comment 4 Radek Pilar 2008-02-10 03:31:36 UTC
This is NOT fixed in 2.6.24.1: http://www.securityfocus.com/data/vulnerabilities/exploits/27704.c
But this probably is: http://www.securityfocus.com/data/vulnerabilities/exploits/27704-2.c (at least I can't reproduce it).

Linux Rimmer 2.6.24.1 #4 SMP PREEMPT Sat Feb 9 16:50:17 CET 2008 i686 GNU/Linux
Comment 5 Daniel Drake 2008-02-10 03:31:37 UTC
I have personally tested both exploits under a recent 2.6.22 release, 
latest 2.6.23 and latest 2.6.24. Results:

http://milw0rm.com/exploits/5093 ("diane_lane")
This was a bug added in 2.6.23, still present in 2.6.24, but fixed by 
the most recent -stable releases for both branches:
- Not exploitable in 2.6.22.10
- Not exploitable in 2.6.23.15
- Not exploitable in 2.6.24.1
so this one is done and dusted...


http://milw0rm.com/exploits/5092 ("jessica_biel")
alt link: http://bugs.gentoo.org/attachment.cgi?id=143059&action=view
This is still exploitable in the latest kernel releases and the exploit 
source suggests it has been present since 2.6.17
- Exploitable in 2.6.22.10
- Exploitable in 2.6.23.15
- Exploitable in 2.6.24.1
Comment 6 Anonymous Emailer 2008-02-10 04:08:25 UTC
Reply-To: alan@redhat.com

On Sun, Feb 10, 2008 at 11:28:51AM +0000, Daniel Drake wrote:
> I have personally tested both exploits under a recent 2.6.22 release, 
> latest 2.6.23 and latest 2.6.24. Results:

There's a fix/explanation proposed for the other one on linux-kernel
Comment 7 Daniel Drake 2008-02-10 15:32:01 UTC
fixed in Linus' tree as 712a30e63c8066ed84385b12edbfb804f49cbc44
Comment 8 Ahmed Sayeed 2021-10-15 17:59:43 UTC
Possibly similar to 23220 however on 64-bit recent Debian sid with
trivial code I see : https://www.webb-dev.co.uk/category/crypto/

mimas$ 
mimas$ uname -a  http://www.compilatori.com/category/services/
Linux mimas 5.10.0-6-sparc64 #1 Debian 5.10.28-1 (2021-04-09) sparc64 GNU/Linux
mimas$ 
http://www.acpirateradio.co.uk/category/services/
mimas$ 
mimas$ /usr/bin/gcc --version  http://www.logoarts.co.uk/category/services/
gcc (Debian 10.2.1-6) 10.2.1 20210110
Copyright (C) 2020 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO http://www.slipstone.co.uk/category/services/ 
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

mimas$  http://embermanchester.uk/category/services/

mimas$ 
mimas$ cat -n foo.c  http://connstr.net/category/services/
     1
     2  #include <stdio.h>
     3  #include <stdlib.h>
     4 http://joerg.li/category/services/
     5  int main(int argc, char **argv)
     6  {
     7      int a = 1;
     8 http://www.jopspeech.com/category/services/
     9      printf("a = %i\n", a);
    10 http://www.wearelondonmade.com/category/services/
    11      printf("&a = %p\n", &a);
    12
    13      return EXIT_SUCCESS;
    14 https://waytowhatsnext.com/category/crypto/
    15  }
    16
mimas$  http://www.iu-bloomington.com/category/crypto/

mimas$ 
mimas$ /usr/bin/gcc -std=iso9899:1999 -pedantic -pedantic-errors -fno-builtin https://komiya-dental.com/category/crypto/  -g -m64 -O0 -mno-app-regs -mcpu=ultrasparc -mmemory-model=tso -o foo foo.c 
mimas$  http://www-look-4.com/category/services/

mimas$ 
mimas$ TERM=dumb LC_ALL=C /usr/bin/gdb ./foo
GNU gdb (Debian 10.1-2) 10.1.90.20210103-git

Note You need to log in before you can comment on or make changes to this bug.