Launchpad has imported 9 comments from the remote bug at https://bugzilla.kernel.org/show_bug.cgi?id=9924.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2008-02-09T15:00:59+00:00 slava wrote: Latest working kernel version: Earliest failing kernel version: 2.6.17 Distribution: Gentoo Hardware Environment: Software Environment: Problem Description: Two root exploits have been reported: http://milw0rm.com/exploits/5093 http://milw0rm.com/exploits/5092 Both exploits cause kernel Oops or (randomly) give root privilegies to the user. Here is the same bug reported in gentoo bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=209460 Steps to reproduce: Compile and run the exploit. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/0 ------------------------------------------------------------------------ On 2008-02-09T16:30:03+00:00 dsd wrote: Assuming this is about CVE-2008-0009/10, this is fixed with "[PATCH] splice: missing user pointer access verification" which is included in 2.6.24.1 and 2.6.23.15. If someone can confirm my assumption, please close this bug. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/1 ------------------------------------------------------------------------ On 2008-02-09T22:01:27+00:00 tm wrote: It's not properly fixed in 2.6.24.1. E.g. see http://bugs.gentoo.org/show_bug.cgi?id=209460 Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/2 ------------------------------------------------------------------------ On 2008-02-10T03:19:49+00:00 dsd wrote: http://bugzilla.kernel.org/show_bug.cgi?id=9924 > It's not properly fixed in 2.6.24.1. E.g. see > http://bugs.gentoo.org/show_bug.cgi?id=209460 Indeed, I can confirm this. 2.6.24.1 fixes this exploit: http://milw0rm.com/exploits/5093 (labelled "Diane Lane ...") but does not fix this one, which still gives me root access on 2.6.24.1: http://milw0rm.com/exploits/5092 ("jessica_biel_naked_in_my_bed.c") alternative link to the still-working exploit: http://bugs.gentoo.org/attachment.cgi?id=143059&action=view Daniel Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/4 ------------------------------------------------------------------------ On 2008-02-10T03:31:36+00:00 rpilar wrote: This is NOT fixed in 2.6.24.1: http://www.securityfocus.com/data/vulnerabilities/exploits/27704.c But this probably is: http://www.securityfocus.com/data/vulnerabilities/exploits/27704-2.c (at least I can't reproduce it). Linux Rimmer 2.6.24.1 #4 SMP PREEMPT Sat Feb 9 16:50:17 CET 2008 i686 GNU/Linux Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/5 ------------------------------------------------------------------------ On 2008-02-10T03:31:37+00:00 dsd wrote: I have personally tested both exploits under a recent 2.6.22 release, latest 2.6.23 and latest 2.6.24. Results: http://milw0rm.com/exploits/5093 ("diane_lane") This was a bug added in 2.6.23, still present in 2.6.24, but fixed by the most recent -stable releases for both branches: - Not exploitable in 2.6.22.10 - Not exploitable in 2.6.23.15 - Not exploitable in 2.6.24.1 so this one is done and dusted... http://milw0rm.com/exploits/5092 ("jessica_biel") alt link: http://bugs.gentoo.org/attachment.cgi?id=143059&action=view This is still exploitable in the latest kernel releases and the exploit source suggests it has been present since 2.6.17 - Exploitable in 2.6.22.10 - Exploitable in 2.6.23.15 - Exploitable in 2.6.24.1 Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/6 ------------------------------------------------------------------------ On 2008-02-10T04:08:25+00:00 anonymous wrote: Reply-To: a...@redhat.com On Sun, Feb 10, 2008 at 11:28:51AM +0000, Daniel Drake wrote: > I have personally tested both exploits under a recent 2.6.22 release, > latest 2.6.23 and latest 2.6.24. Results: There's a fix/explanation proposed for the other one on linux-kernel Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/7 ------------------------------------------------------------------------ On 2008-02-10T15:32:01+00:00 dsd wrote: fixed in Linus' tree as 712a30e63c8066ed84385b12edbfb804f49cbc44 Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/19 ------------------------------------------------------------------------ On 2021-10-15T17:59:43+00:00 ucelsanicin wrote: Possibly similar to 23220 however on 64-bit recent Debian sid with trivial code I see : https://www.webb-dev.co.uk/category/crypto/ mimas$ mimas$ uname -a http://www.compilatori.com/category/services/ Linux mimas 5.10.0-6-sparc64 #1 Debian 5.10.28-1 (2021-04-09) sparc64 GNU/Linux mimas$ http://www.acpirateradio.co.uk/category/services/ mimas$ mimas$ /usr/bin/gcc --version http://www.logoarts.co.uk/category/services/ gcc (Debian 10.2.1-6) 10.2.1 20210110 Copyright (C) 2020 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO http://www.slipstone.co.uk/category/services/ warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. mimas$ http://embermanchester.uk/category/services/ mimas$ mimas$ cat -n foo.c http://connstr.net/category/services/ 1 2 #include <stdio.h> 3 #include <stdlib.h> 4 http://joerg.li/category/services/ 5 int main(int argc, char **argv) 6 { 7 int a = 1; 8 http://www.jopspeech.com/category/services/ 9 printf("a = %i\n", a); 10 http://www.wearelondonmade.com/category/services/ 11 printf("&a = %p\n", &a); 12 13 return EXIT_SUCCESS; 14 https://waytowhatsnext.com/category/crypto/ 15 } 16 mimas$ http://www.iu-bloomington.com/category/crypto/ mimas$ mimas$ /usr/bin/gcc -std=iso9899:1999 -pedantic -pedantic-errors -fno-builtin https://komiya-dental.com/category/crypto/ -g -m64 -O0 -mno-app-regs -mcpu=ultrasparc -mmemory-model=tso -o foo foo.c mimas$ http://www-look-4.com/category/services/ mimas$ mimas$ TERM=dumb LC_ALL=C /usr/bin/gdb ./foo GNU gdb (Debian 10.1-2) 10.1.90.20210103-git Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/131 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/190587 Title: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) Status in Linux: Fix Released Status in Ubuntu: Fix Released Status in gplcver package in Ubuntu: Invalid Status in linux package in Ubuntu: Fix Released Status in linux-source-2.6.15 package in Ubuntu: Invalid Status in linux-source-2.6.17 package in Ubuntu: Fix Released Status in linux-source-2.6.20 package in Ubuntu: Fix Released Status in linux-source-2.6.22 package in Ubuntu: Fix Released Status in CentOS: Fix Released Status in Debian: Fix Released Status in linux package in Fedora: Fix Released Status in Gentoo Linux: Fix Released Status in Mandriva: Fix Released Bug description: https://bugs.gentoo.org/show_bug.cgi?id=209460 works on at least Hardy 2.6.24-7, Edgy 2.6.17-12, but not on Feisty 2.6.20-16. To manage notifications about this bug go to: https://bugs.launchpad.net/linux/+bug/190587/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
