On Feb 10, 2008 1:38 AM, Niki Denev <[EMAIL PROTECTED]> wrote:
>
> On Feb 10, 2008 8:32 AM, Willy Tarreau <[EMAIL PROTECTED]> wrote:
> > On Sun, Feb 10, 2008 at 08:04:35AM +0200, Niki Denev wrote:
> > > Hi,
> > >
> > > As the subject says the 2.6.24.1 is still vulnerable to the vmsplice
> > > local root exploit.
> >
> > Yes indeed, that's quite bad. 2.6.24-git is still vulnerable too, and
> > also contains the fix :-(
> >
> > CC'd Jens as he worked on the fix.
> >
> > Willy
> >
> >
>
> I was unable to gain root on 2.6.24-git20
> but after several segfaults when executing the exploit continously
> the machine crashes.
>
> --Niki
>
this fixed the problem for me (kernel 2.6.24.1) :
It appears that the initial patch checked the input to vmsplice_to_user,
but the exploit used vmsplice_to_pipe which remained open to the attack.
--- fs/splice.c.orig 2008-02-08 21:55:30.000000000 +0200
+++ fs/splice.c 2008-02-10 11:32:50.000000000 +0200
@@ -1443,6 +1443,10 @@
struct pipe_inode_info *pipe;
struct page *pages[PIPE_BUFFERS];
struct partial_page partial[PIPE_BUFFERS];
+ int error;
+ long ret;
+ void __user *base;
+ size_t len;
struct splice_pipe_desc spd = {
.pages = pages,
.partial = partial,
@@ -1450,6 +1454,31 @@
.ops = &user_page_pipe_buf_ops,
};
+ error = ret = 0;
+
+ /*
+ * Get user address base and length for this iovec.
+ */
+ error = get_user(base, &iov->iov_base);
+ if (unlikely(error))
+ return error;
+ error = get_user(len, &iov->iov_len);
+ if (unlikely(error))
+ return error;
+
+ /*
+ * Sanity check this iovec. 0 read succeeds.
+ */
+ if (unlikely(!len))
+ return 0;
+ if (unlikely(!base)) {
+ return -EFAULT;
+ }
+
+ if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
+ return -EFAULT;
+ }
+
pipe = pipe_info(file->f_path.dentry->d_inode);
if (!pipe)
return -EBADF;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
