Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit

From: Oliver Pinter
Date: Sun Feb 10 2008 - 08:02:42 EST

Next message: Boaz Harrosh: "Re: scsi/arm/fas216.c compile error"
Previous message: Heiko Carstens: "Re: preempt rcu bug on s390"
In reply to: Niki Denev: "Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit"
Next in thread: Greg KH: "Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to thevmsplice local root exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

thx it fixed for 2.6.22

>>>>>>>

commit f6e993b835393543bab2d917f9dea75218473edd
Author: Oliver Pinter <oliver.pntr@xxxxxxxxx>
Date: Sun Feb 10 14:03:46 2008 +0100

[PATCH] vm: splice local root exploit fix for 2.6.22.y

Based on Bastian Blank's patch

Fix for CVE_2008_0009 and CVE_2008-0010

----->8-----

oliver@pancs:/tmp$ ./2617_26241_root_exploit
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f1a000 .. 0xb7f4c000
[-] vmsplice: Bad address

-----8<-----

Signed-off-by: Oliver Pinter <oliver.pntr@xxxxxxxxx>

diff --git a/fs/splice.c b/fs/splice.c
index e263d3b..d8b106e 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1182,6 +1182,12 @@ static int get_iovec_page_array(const struct
iovec __user *iov,
if (unlikely(!base))
break;

+ /* CVE-2008-0009, CVE-2008-0010 fix */
+ if(!access_ok(VERIFY_READ, base, len)) {
+ error = -EFAULT;
+ break;
+ }
+
/*
* Get this base offset and number of pages, then map
* in the user pages.

<<<<<<<

On 2/10/08, Bastian Blank <bastian@xxxxxxxxxxxx> wrote:
> On Sun, Feb 10, 2008 at 12:39:05PM +0000, Niki Denev wrote:
> > This patch is against 2.6.24.1 which has already the fix to
> vmsplice_to_user
> > With it i can't exploit the hole, and it is returns "invalid address"
>
> This is the vmsplice_to_pipe path and I have many reports that it is not
> fixed.
>
> Bastian
>
> --
> If there are self-made purgatories, then we all have to live in them.
> -- Spock, "This Side of Paradise", stardate 3417.7
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>

oliver@pancs:/tmp$ ./2617_26241_root_exploit
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f1a000 .. 0xb7f4c000
[-] vmsplice: Bad addres

--
Thanks,
Oliver
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Boaz Harrosh: "Re: scsi/arm/fas216.c compile error"
Previous message: Heiko Carstens: "Re: preempt rcu bug on s390"
In reply to: Niki Denev: "Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit"
Next in thread: Greg KH: "Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to thevmsplice local root exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]