zcat(a)mandela:~$ ./vmsplice ----------------------------------- Linux vmsplice Local Root Exploit By qaaz ----------------------------------- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7fbe000 .. 0xb7ff0000 [+] root root(a)mandela:~# OUCH!!!! Exploit is here; http://www.milw0rm.com/exploits/5092 Instant temporary fix (zaps the live kernel with a NOP in the appropriate place) is mentioned here;http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953#14 Actual code for fix; http://www.ping.uio.no/~mortehu/disable-vmsplice-if-exploitable.c
On Mon, Feb 11, 2008 at 02:49:45PM +1300, Bruce Kingsbury wrote:
zcat(a)mandela:~$ ./vmsplice
More information, since Bruce forgot: * applies to all kernels from 2.6.17 to 2.6.24.1 * allows any user to gain root privileges * depends on whether your distribution includes certain modules or not: ubuntu's kernel is not vulnerable, but most other distros are. Expect to see security fixes from your vendor in the next day or so, and apply them! John
* depends on whether your distribution includes certain modules or not: ubuntu's kernel is not vulnerable, but most other distros are.
Curious, since this machine actually runs a fairly standard ubuntu install and clearly was vulnerable. zcat(a)mandela:~$ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=7.10 DISTRIB_CODENAME=gutsy DISTRIB_DESCRIPTION="Ubuntu 7.10" zcat(a)mandela:~$ uname -a Linux mandela 2.6.22-14-generic #1 SMP Fri Feb 1 04:59:50 UTC 2008 i686 GNU/Linux
On Feb 11, 2008 2:49 PM, Bruce Kingsbury <zcat(a)zcat.geek.nz> wrote:
Exploit is here; http://www.milw0rm.com/exploits/5092
Instant temporary fix (zaps the live kernel with a NOP in the appropriate place) is mentioned here;http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953#14 Actual code for fix; http://www.ping.uio.no/~mortehu/disable-vmsplice-if-exploitable.c
And here is fix in 2.6.24.2: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.24.2 If you are running your own kernel fix is here: http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.24.y.git;a=commit... From: Bastian Blank <bastian(a)waldi.eu.org> Date: Sun, 10 Feb 2008 14:47:57 +0000 (+0200) Subject: splice: fix user pointer access in get_iovec_page_array() X-Git-Tag: v2.6.24.2~1 X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.24.y.git;... splice: fix user pointer access in get_iovec_page_array() patch 712a30e63c8066ed84385b12edbfb804f49cbc44 in mainline. Commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user pointer access verification") added the proper access_ok() calls to copy_from_user_mmap_sem() which ensures we can copy the struct iovecs from userspace to the kernel. But we also must check whether we can access the actual memory region pointed to by the struct iovec to fix the access checks properly. Signed-off-by: Bastian Blank <waldi(a)debian.org> Acked-by: Oliver Pinter <oliver.pntr(a)gmail.com> Cc: Jens Axboe <jens.axboe(a)oracle.com> Cc: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Pekka Enberg <penberg(a)cs.helsinki.fi> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)suse.de> --- diff --git a/fs/splice.c b/fs/splice.c index 36fdc61..e313478 100644 --- a/fs/splice.c +++ b/fs/splice.c @@ -1239,7 +1239,7 @@ static int get_iovec_page_array(const struct iovec __user *iov, if (unlikely(!len)) break; error = -EFAULT; - if (unlikely(!base)) + if (!access_ok(VERIFY_READ, base, len)) break; /* -- Web: http://wand.net.nz/~iam4/ Blog: http://iansblog.jandi.co.nz
participants (3)
-
Bruce Kingsbury -
Ian McDonald -
John R. McPherson