Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit

From: Niki Denev
Date: Sun Feb 10 2008 - 04:41:25 EST

Next message: Martin Schwidefsky: "Re: CONFIG_HIGHPTE vs. sub-page page tables."
Previous message: Christoph Hellwig: "Re: [3/6] kgdb: core"
In reply to: Niki Denev: "Re: kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit"
Next in thread: Oliver Pinter: "Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Feb 10, 2008 1:38 AM, Niki Denev <ndenev@xxxxxxxxx> wrote:
>
> On Feb 10, 2008 8:32 AM, Willy Tarreau <w@xxxxxx> wrote:
> > On Sun, Feb 10, 2008 at 08:04:35AM +0200, Niki Denev wrote:
> > > Hi,
> > >
> > > As the subject says the 2.6.24.1 is still vulnerable to the vmsplice
> > > local root exploit.
> >
> > Yes indeed, that's quite bad. 2.6.24-git is still vulnerable too, and
> > also contains the fix :-(
> >
> > CC'd Jens as he worked on the fix.
> >
> > Willy
> >
> >
>
> I was unable to gain root on 2.6.24-git20
> but after several segfaults when executing the exploit continously
> the machine crashes.
>
> --Niki
>

this fixed the problem for me (kernel 2.6.24.1) :
It appears that the initial patch checked the input to vmsplice_to_user,
but the exploit used vmsplice_to_pipe which remained open to the attack.

--- fs/splice.c.orig 2008-02-08 21:55:30.000000000 +0200
+++ fs/splice.c 2008-02-10 11:32:50.000000000 +0200
@@ -1443,6 +1443,10 @@
struct pipe_inode_info *pipe;
struct page *pages[PIPE_BUFFERS];
struct partial_page partial[PIPE_BUFFERS];
+ int error;
+ long ret;
+ void __user *base;
+ size_t len;
struct splice_pipe_desc spd = {
.pages = pages,
.partial = partial,
@@ -1450,6 +1454,31 @@
.ops = &user_page_pipe_buf_ops,
};

+ error = ret = 0;
+
+ /*
+ * Get user address base and length for this iovec.
+ */
+ error = get_user(base, &iov->iov_base);
+ if (unlikely(error))
+ return error;
+ error = get_user(len, &iov->iov_len);
+ if (unlikely(error))
+ return error;
+
+ /*
+ * Sanity check this iovec. 0 read succeeds.
+ */
+ if (unlikely(!len))
+ return 0;
+ if (unlikely(!base)) {
+ return -EFAULT;
+ }
+
+ if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
+ return -EFAULT;
+ }
+
pipe = pipe_info(file->f_path.dentry->d_inode);
if (!pipe)
return -EBADF;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Martin Schwidefsky: "Re: CONFIG_HIGHPTE vs. sub-page page tables."
Previous message: Christoph Hellwig: "Re: [3/6] kgdb: core"
In reply to: Niki Denev: "Re: kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit"
Next in thread: Oliver Pinter: "Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]