Kernel Bug Tracker – Bug 9924
Two vmsplice local root exploits
Last modified: 2008-02-10 15:32:01 UTC
Latest working kernel version:
Earliest failing kernel version: 2.6.17
Two root exploits have been reported:
Both exploits cause kernel Oops or (randomly) give root privilegies to the user.
Here is the same bug reported in gentoo bugzilla:
Steps to reproduce:
Compile and run the exploit.
Assuming this is about CVE-2008-0009/10, this is fixed with "[PATCH] splice: missing user pointer access verification" which is included in 188.8.131.52 and 184.108.40.206. If someone can confirm my assumption, please close this bug.
It's not properly fixed in 220.127.116.11. E.g. see http://bugs.gentoo.org/show_bug.cgi?id=209460
> It's not properly fixed in 18.104.22.168. E.g. see
Indeed, I can confirm this.
22.214.171.124 fixes this exploit:
(labelled "Diane Lane ...")
but does not fix this one, which still gives me root access on 126.96.36.199:
alternative link to the still-working exploit:
This is NOT fixed in 188.8.131.52: http://www.securityfocus.com/data/vulnerabilities/exploits/27704.c
But this probably is: http://www.securityfocus.com/data/vulnerabilities/exploits/27704-2.c (at least I can't reproduce it).
Linux Rimmer 184.108.40.206 #4 SMP PREEMPT Sat Feb 9 16:50:17 CET 2008 i686 GNU/Linux
I have personally tested both exploits under a recent 2.6.22 release,
latest 2.6.23 and latest 2.6.24. Results:
This was a bug added in 2.6.23, still present in 2.6.24, but fixed by
the most recent -stable releases for both branches:
- Not exploitable in 220.127.116.11
- Not exploitable in 18.104.22.168
- Not exploitable in 22.214.171.124
so this one is done and dusted...
alt link: http://bugs.gentoo.org/attachment.cgi?id=143059&action=view
This is still exploitable in the latest kernel releases and the exploit
source suggests it has been present since 2.6.17
- Exploitable in 126.96.36.199
- Exploitable in 188.8.131.52
- Exploitable in 184.108.40.206
On Sun, Feb 10, 2008 at 11:28:51AM +0000, Daniel Drake wrote:
> I have personally tested both exploits under a recent 2.6.22 release,
> latest 2.6.23 and latest 2.6.24. Results:
There's a fix/explanation proposed for the other one on linux-kernel
fixed in Linus' tree as 712a30e63c8066ed84385b12edbfb804f49cbc44