Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit

view
thread

Score:

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Niki Denev <ndenev@...>

To: Willy Tarreau <w@...>

Cc: <linux-kernel@...>, <jens.axboe@...>

Subject: Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit

Date: Sunday, February 10, 2008 - 5:40 am

On Feb 10, 2008 1:38 AM, Niki Denev <ndenev@gmail.com> wrote:
quoted text>
> On Feb 10, 2008 8:32 AM, Willy Tarreau <w@1wt.eu> wrote:
> > On Sun, Feb 10, 2008 at 08:04:35AM +0200, Niki Denev wrote:
> > > Hi,
> > >
> > > As the subject says the 2.6.24.1 is still vulnerable to the vmsplice
> > > local root exploit.
> >
> > Yes indeed, that's quite bad. 2.6.24-git is still vulnerable too, and
> > also contains the fix :-(
> >
> > CC'd Jens as he worked on the fix.
> >
> > Willy
> >
> >
>
> I was unable to gain root on 2.6.24-git20
> but after several segfaults when executing the exploit continously
> the machine crashes.
>
> --Niki
>

this fixed the problem for me (kernel 2.6.24.1) :
It appears that the initial patch checked the input to vmsplice_to_user,
but the exploit used vmsplice_to_pipe which remained open to the attack.

--- fs/splice.c.orig	2008-02-08 21:55:30.000000000 +0200
+++ fs/splice.c	2008-02-10 11:32:50.000000000 +0200
@@ -1443,6 +1443,10 @@
 	struct pipe_inode_info *pipe;
 	struct page *pages[PIPE_BUFFERS];
 	struct partial_page partial[PIPE_BUFFERS];
+	int error;
+	long ret;
+	void __user *base;
+	size_t len;
 	struct splice_pipe_desc spd = {
 		.pages = pages,
 		.partial = partial,
@@ -1450,6 +1454,31 @@
 		.ops = &user_page_pipe_buf_ops,
 	};

+	error = ret = 0;
+
+	/*
+	 * Get user address base and length for this iovec.
+	 */
+	error = get_user(base, &iov->iov_base);
+	if (unlikely(error))
+		return error;
+	error = get_user(len, &iov->iov_len);
+	if (unlikely(error))
+		return error;
+
+	/*
+	 * Sanity check this iovec. 0 read succeeds.
+	 */
+	if (unlikely(!len))
+		return 0;
+	if (unlikely(!base)) {
+		return -EFAULT;	
+	}
+
+	if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
+		return -EFAULT;
+	}
+
 	pipe = pipe_info(file->f_path.dentry->d_inode);
 	if (!pipe)
 		return -EBADF;
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

kernel 2.6.24.1 still vulnerable to the vmsplice local root ..., Niki Denev, (Sun Feb 10, 2:04 am)

Re: kernel 2.6.24.1 still vulnerable to the vmsplice local r..., Willy Tarreau, (Sun Feb 10, 2:32 am)

Re: kernel 2.6.24.1 still vulnerable to the vmsplice local r..., Niki Denev, (Sun Feb 10, 2:38 am)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Niki Denev, (Sun Feb 10, 5:40 am)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Bastian Blank, (Sun Feb 10, 8:22 am)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Niki Denev, (Sun Feb 10, 9:48 am)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Niki Denev, (Sun Feb 10, 8:39 am)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Bastian Blank, (Sun Feb 10, 8:47 am)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Oliver Pinter, (Sun Feb 10, 9:02 am)

Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to the..., Greg KH, (Sun Feb 10, 1:05 pm)

Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to the..., Oliver Pinter, (Sun Feb 10, 1:48 pm)

Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to the..., Oliver Pinter, (Sun Feb 10, 1:44 pm)

Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to the..., Pekka Enberg, (Sun Feb 10, 1:11 pm)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Niki Denev, (Sun Feb 10, 8:54 am)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Oliver Pinter, (Sun Feb 10, 8:04 am)

Navigation

Mail archive search

Popular discussions


linux-kernel:
Junio C Hamano	[ANNOUNCE] GIT 1.6.0
Linus Torvalds	Re: [ANNOUNCE] mdb: Merkey's Linux Kernel Debugger 2.6.27-rc4 released
Bart Van Assche	Integration of SCST in the mainstream Linux kernel
Paul Menage	Re: [RFC][PATCH 6/7] Account for the number of tasks within container
git:
Nicolas Pitre	Re: pack operation is thrashing my server
Scott Chacon	Git Community Book
Greg KH	Re: [ANNOUNCE] pg - A patch porcelain for GIT
Lars Hjemli	[PATCH] git-merge: add option --no-ff
openbsd-misc:
GVG GVG	ssh_exchange_identification: Connection closed by remote host
Nick Guenther	Re: Real men don't attack straw men
Travers Buda	Re: Important OpenBSD errata
Gregory Edigarov	How to re-build openssl with SHA1 support?
linux-fsdevel:
Al Boldi	[RFC] VM: I have a dream...
Dave Kleikamp	Re: [RFC] Heads up on sys_fallocate()
Jörn	Review status (Re: [PATCH] LogFS take three)
Chris Mason	[ANNOUNCE] Btrfs v0.12 released

Latest forum posts


How to make initramfs smaller	2 hours ago	Linux kernel
How to exec user process in kernel mode.	4 hours ago	Linux kernel
how to check if a given block device is in use?	5 hours ago	Linux kernel
[IPSEC]IPSEC_MANUAL_REQID_MAX	3 days ago	Linux kernel
help in UDP catching module..	4 days ago	Linux kernel
Is there anything like Real-time drivers?	5 days ago	Linux general
ns16550 serail console in Linux 2.6.19	5 days ago	Linux general
what class should i use to register my devices	6 days ago	Linux kernel
reset bios pasword toshiba	6 days ago	Hardware
Analysis of Process Scheduling	1 week ago	Linux kernel

Show all forums...

Recent Tags

H. Peter Anvin filesystem -rc5 quote Linux Andrew Morton -rc -rc4 Tux3 Daniel Phillips Linus Torvalds 2.6.27 2.6.27-rc5

more tags

Colocation donated by:

Online users

Syndicate