Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit

Score:

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Bastian Blank <bastian@...>

To: Niki Denev <ndenev@...>, Willy Tarreau <w@...>

Cc: <linux-kernel@...>, <jens.axboe@...>

Subject: Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit

Date: Sunday, February 10, 2008 - 8:22 am

On Sun, Feb 10, 2008 at 04:40:53AM -0500, Niki Denev wrote:
quoted text> this fixed the problem for me (kernel 2.6.24.1) :
> It appears that the initial patch checked the input to vmsplice_to_user,
> but the exploit used vmsplice_to_pipe which remained open to the attack.

This patch is broken. It opens the old hole again.

quoted text> @@ -1450,6 +1454,31 @@
>  		.ops = &user_page_pipe_buf_ops,
>  	};
> 
> +	error = ret = 0;
> +
> +	/*
> +	 * Get user address base and length for this iovec.
> +	 */
> +	error = get_user(base, &iov->iov_base);
> +	if (unlikely(error))
> +		return error;
> +	error = get_user(len, &iov->iov_len);
> +	if (unlikely(error))
> +		return error;

iov is unchecked.

quoted text> +	if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
> +		return -EFAULT;
> +	}

Use VERIFY_READ and this only checks the first entry.

I checked the following patch and it at least fixes the known exploit.

diff --git a/fs/splice.c b/fs/splice.c
index 14e2262..80beb2b 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1237,6 +1237,11 @@ static int get_iovec_page_array(const struct iovec __user *iov,
 		if (unlikely(!base))
 			break;
 
+		if (!access_ok(VERIFY_READ, base, len)) {
+			error = -EFAULT;
+			break;
+		}
+
 		/*
 		 * Get this base offset and number of pages, then map
 		 * in the user pages.
-- 
Even historians fail to learn from history -- they repeat the same mistakes.
		-- John Gill, "Patterns of Force", stardate 2534.7
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

kernel 2.6.24.1 still vulnerable to the vmsplice local root ..., Niki Denev, (Sun Feb 10, 2:04 am)

Re: kernel 2.6.24.1 still vulnerable to the vmsplice local r..., Willy Tarreau, (Sun Feb 10, 2:32 am)

Re: kernel 2.6.24.1 still vulnerable to the vmsplice local r..., Niki Denev, (Sun Feb 10, 2:38 am)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Niki Denev, (Sun Feb 10, 5:40 am)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Bastian Blank, (Sun Feb 10, 8:22 am)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Niki Denev, (Sun Feb 10, 9:48 am)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Niki Denev, (Sun Feb 10, 8:39 am)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Bastian Blank, (Sun Feb 10, 8:47 am)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Oliver Pinter, (Sun Feb 10, 9:02 am)

Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to the..., Greg KH, (Sun Feb 10, 1:05 pm)

Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to the..., Oliver Pinter, (Sun Feb 10, 1:48 pm)

Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to the..., Oliver Pinter, (Sun Feb 10, 1:44 pm)

Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to the..., Pekka Enberg, (Sun Feb 10, 1:11 pm)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Niki Denev, (Sun Feb 10, 8:54 am)

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Oliver Pinter, (Sun Feb 10, 8:04 am)


linux-kernel:
Arjan van de Ven	[patch] Add basic sanity checks to the syscall execution patch
Matthew Wilcox	Re: AIM7 40% regression with 2.6.26-rc1
Bart Van Assche	Integration of SCST in the mainstream Linux kernel
Greg Kroah-Hartman	[PATCH 005/196] Chinese: add translation of SubmittingDrivers
git:
Andy Whitcroft	Re: VCS comparison table
David	User's mailing list? And multiple cherry pick
Scott Chacon	Git Community Book
Mark Levedahl	Re: [PATCH] Teach remote machinery about remotes.default config variable
openbsd-misc:
Marco Peereboom	Re: Real men don't attack straw men
Richard Stallman	Real men don't attack straw men
GVG GVG	ssh_exchange_identification: Connection closed by remote host
Tony Abernethy	Re: What is our ultimate goal??
linux-netdev:
Arjan van de Ven	Re: [GIT]: Networking
Jeff Garzik	Re: [bug?] tg3: Failed to load firmware "tigon/tg3_tso.bin"
Denys Fedoryshchenko	packetloss, on e1000e worse than r8169?
Radu Rendec	Endianness problem with u32 classifier hash masks


trouble with my Asus Mainboard	37 minutes ago	Linux kernel
How to exec user process in kernel mode.	2 days ago	Linux kernel
[IPSEC]IPSEC_MANUAL_REQID_MAX	2 days ago	Linux kernel
help in UDP catching module..	3 days ago	Linux kernel
Is there anything like Real-time drivers?	5 days ago	Linux general
ns16550 serail console in Linux 2.6.19	5 days ago	Linux general
what class should i use to register my devices	5 days ago	Linux kernel
reset bios pasword toshiba	6 days ago	Hardware
Analysis of Process Scheduling	1 week ago	Linux kernel
RT Kernel and SSH Server Panics	1 week ago	Linux kernel

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit

Online users