Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: Bastian Blank <bastian@...>, Niki Denev <ndenev@...>, Willy Tarreau <w@...>, <linux-kernel@...>, <jens.axboe@...>

Cc: <stable@...>

Subject: Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit

Date: Sunday, February 10, 2008 - 9:02 am

thx it fixed for 2.6.22

quoted text>>>>>>>

commit f6e993b835393543bab2d917f9dea75218473edd
Author: Oliver Pinter <oliver.pntr@gmail.com>
Date:   Sun Feb 10 14:03:46 2008 +0100

    [PATCH] vm: splice local root exploit fix for 2.6.22.y

    Based on Bastian Blank's patch

    Fix for CVE_2008_0009 and CVE_2008-0010

    ----->8-----

    oliver@pancs:/tmp$ ./2617_26241_root_exploit
    -----------------------------------
     Linux vmsplice Local Root Exploit
      By qaaz
      -----------------------------------
      [+] mmap: 0x0 .. 0x1000
      [+] page: 0x0
      [+] page: 0x20
      [+] mmap: 0x4000 .. 0x5000
      [+] page: 0x4000
      [+] page: 0x4020
      [+] mmap: 0x1000 .. 0x2000
      [+] page: 0x1000
      [+] mmap: 0xb7f1a000 .. 0xb7f4c000
      [-] vmsplice: Bad address

    -----8<-----

    Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com>

diff --git a/fs/splice.c b/fs/splice.c
index e263d3b..d8b106e 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1182,6 +1182,12 @@ static int get_iovec_page_array(const struct
iovec __user *iov,
 		if (unlikely(!base))
 			break;

+		/* CVE-2008-0009, CVE-2008-0010 fix */
+		if(!access_ok(VERIFY_READ, base, len)) {
+			error = -EFAULT;
+			break;
+		}
+
 		/*
 		 * Get this base offset and number of pages, then map
 		 * in the user pages.


<<<<<<<

On 2/10/08, Bastian Blank <bastian@waldi.eu.org> wrote:
quoted text> On Sun, Feb 10, 2008 at 12:39:05PM +0000, Niki Denev wrote:
> > This patch is against 2.6.24.1 which has already the fix to
> vmsplice_to_user
> > With it i can't exploit the hole, and it is returns "invalid address"
>
> This is the vmsplice_to_pipe path and I have many reports that it is not
> fixed.
>
> Bastian
>
> --
> If there are self-made purgatories, then we all have to live in them.
> 		-- Spock, "This Side of Paradise", stardate 3417.7
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>

oliver@pancs:/tmp$ ./2617_26241_root_exploit
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f1a000 .. 0xb7f4c000
[-] vmsplice: Bad addres

-- 
Thanks,
Oliver
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

kernel 2.6.24.1 still vulnerable to the vmsplice local root ..., Niki Denev, (Sun Feb 10, 2:04 am)

Re: kernel 2.6.24.1 still vulnerable to the vmsplice local r..., Willy Tarreau, (Sun Feb 10, 2:32 am)

Re: kernel 2.6.24.1 still vulnerable to the vmsplice local r..., Niki Denev, (Sun Feb 10, 2:38 am)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Niki Denev, (Sun Feb 10, 5:40 am)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Bastian Blank, (Sun Feb 10, 8:22 am)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Niki Denev, (Sun Feb 10, 9:48 am)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Niki Denev, (Sun Feb 10, 8:39 am)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Bastian Blank, (Sun Feb 10, 8:47 am)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Oliver Pinter, (Sun Feb 10, 9:02 am)

Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to the..., Greg KH, (Sun Feb 10, 1:05 pm)

Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to the..., Oliver Pinter, (Sun Feb 10, 1:48 pm)

Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to the..., Oliver Pinter, (Sun Feb 10, 1:44 pm)

Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to the..., Pekka Enberg, (Sun Feb 10, 1:11 pm)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Niki Denev, (Sun Feb 10, 8:54 am)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Oliver Pinter, (Sun Feb 10, 8:04 am)


linux-kernel:
Tarkan Erimer	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Greg KH	[GIT PATCH] driver core patches against 2.6.24
Michal Piotrowski	Re: Linux 2.6.21-rc4
Joe Peterson	Re: 2.6.25.3: su gets stuck for root
git:

linux-netdev:
Jarek Poplawski	[PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
David Miller	[GIT]: Networking
Gerrit Renker	[PATCH 15/37] dccp: Set per-connection CCIDs via socket options
Emil S Tantilov	Re: WARNING: at include/net/sock.h:417 udp_lib_unhash
openbsd-misc:

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit

Online users