Launchpad has imported 35 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=432251.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2008-02-10T13:37:47+00:00 mjc wrote: A new system call named vmsplice() was introduced in the 2.6.17 release of the Linux kernel. COSEINC reported two issues affecting vmsplice, CVE-2008-0009 and CVE-2008-0010. On Saturday 20080210 a public exploit was released that utilised a similar flaw in vmsplice (vmsplice_to_pipe function) to allow a local user to gain privileges on some architectures. See also http://marc.info/?t=120263655300003&r=1&w=2 This issue will affect kernels 2.6.17+ and therefore affected Red Hat Enterprise Linux 5, but not Red Hat Enterprise Linux 4, 3, or 2.1. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/8 ------------------------------------------------------------------------ On 2008-02-10T16:39:00+00:00 mjc wrote: Note that there may be a little confusion as there are actually three vmsplice issues: CVE-2008-0009 is already fixed upstream, does not affect any RHEL, has no public exploit. Upstream patch is the second hunk of: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8811930dc74a503415b35c4a79d14fb0b408a361 CVE-2008-0010 is already fixed upstream, does not affect any RHEL, but has a public exploit. ( http://www.milw0rm.com/exploits/5093 ) Upstream patch is the first hunk of: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8811930dc74a503415b35c4a79d14fb0b408a361 CVE-2008-0600 is not yet fixed upstream, affects RHEL5, and has a public exploit ( http://www.milw0rm.com/exploits/5092 ) Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.22/+bug/190587/comments/12 ------------------------------------------------------------------------ On 2008-02-10T18:11:58+00:00 mjc wrote: Proposed patch for RHEL5 from Al Viro diff -urN linux-2.6.18.x86_64/fs/splice.c linux-2.6.18.x86_64-fix/fs/splice.c --- linux-2.6.18.x86_64/fs/splice.c 2008-02-10 11:08:19.000000000 -0500 +++ linux-2.6.18.x86_64-fix/fs/splice.c 2008-02-10 11:31:06.000000000 -0500 @@ -1154,6 +1154,9 @@ if (unlikely(!base)) break; + if (unlikely(!access_ok(VERIFY_READ, base, len))) + break; + /* * Get this base offset and number of pages, then map * in the user pages. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/14 ------------------------------------------------------------------------ On 2008-02-10T20:42:39+00:00 mjc wrote: Confirmed the patch blocks this issue for Red Hat Enterprise Linux 5; this specific exploit prints "[-] vmsplice: Bad address" and fails. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/20 ------------------------------------------------------------------------ On 2008-02-10T21:17:01+00:00 mjc wrote: Upstream fix: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44 Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.22/+bug/190587/comments/22 ------------------------------------------------------------------------ On 2008-02-10T22:05:50+00:00 mjc wrote: For Red Hat Enterprise Linux 5: CVSS v2 Base score: 7.2 (High) (AV:L/AC:L/Au:N/C:C/I:C/A:C) Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/24 ------------------------------------------------------------------------ On 2008-02-10T23:16:13+00:00 redhat wrote: We added a quick and dirty patch for the problem here: http://home.powertech.no/oystein/ptpatch2008/ It is a kernel module that disables vmsplice, and logs any attempts to exploit the bug. As it it a loadable module it can easily be deployed on systems that can not be updated with a new kernel for various reasons. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/29 ------------------------------------------------------------------------ On 2008-02-10T23:38:28+00:00 seva wrote: Ola, I tried that module on a test system and got: <name> kernel: general protection fault: 0000 [1] SMP Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/31 ------------------------------------------------------------------------ On 2008-02-11T03:29:52+00:00 ryan wrote: The make file required some modification for PAE kernels due to path issues; once compiled module fails to load with: insmod: error inserting 'ptpatch2008.ko': -1 Invalid module format (double checked to confirm the system.map and modules paths are in fact valid to the current running kernel version on the system) Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/36 ------------------------------------------------------------------------ On 2008-02-11T04:12:35+00:00 agt wrote: @Ryan, make sure you have kernel-PAE-devel installed, and then undo your Makefile path changes. The modules compile and insmod properly for me. Thanks, Ola! Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/40 ------------------------------------------------------------------------ On 2008-02-11T04:48:04+00:00 juanino wrote: Created attachment 294535 x86_64 panic on ptpach module load Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/41 ------------------------------------------------------------------------ On 2008-02-11T04:48:52+00:00 juanino wrote: to clarify, the module from comment#10 panic's on x86_64 for me. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/42 ------------------------------------------------------------------------ On 2008-02-11T05:51:56+00:00 ryan wrote: (In reply to comment #13) > @Ryan, make sure you have kernel-PAE-devel installed, and then undo your > Makefile path changes. The modules compile and insmod properly for me. > Thanks, > Ola! Perfect, that did the trick - had not realized there was a specific pae-devel package. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/43 ------------------------------------------------------------------------ On 2008-02-11T07:51:58+00:00 thoger wrote: *** Bug 432308 has been marked as a duplicate of this bug. *** Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/52 ------------------------------------------------------------------------ On 2008-02-11T07:58:54+00:00 thoger wrote: *** Bug 432288 has been marked as a duplicate of this bug. *** Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/53 ------------------------------------------------------------------------ On 2008-02-11T11:08:35+00:00 artms wrote: On kernel-2.6.18-53.1.6.el5xen (x86_64) this exploit makes kernel panic. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/54 ------------------------------------------------------------------------ On 2008-02-11T11:57:25+00:00 mattdm wrote: Not to detract from the real work, but can someone describe the access-restricted bugs marked as blocking this? (Bug #432252, Bug #432253). Thanks. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/55 ------------------------------------------------------------------------ On 2008-02-11T12:01:40+00:00 mbooth wrote: These are simply tracking bugs for specific affected products. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/56 ------------------------------------------------------------------------ On 2008-02-11T13:35:18+00:00 mjc wrote: In reply to comment #20; there are some bugs in the exploit which means that it doesn't work directly on x86_64 machines, although it can be modified to do so. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/60 ------------------------------------------------------------------------ On 2008-02-11T14:16:07+00:00 russell wrote: I can confirm the sample exploit will segfault on athlon on a bare system (would likely be patchable), but will work as supplied on a XenU. Segfault: Linux xxxx 2.6.23.9-85.fc8 #1 SMP Fri Dec 7 15:49:59 EST 2007 i686 athlon i386 GNU/Linux Exploitable: Linux xxxx 2.6.21-2952.fc8xen #1 SMP Mon Nov 19 07:06:55 EST 2007 i686 athlon i386 GNU/Linux Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/62 ------------------------------------------------------------------------ On 2008-02-11T14:41:33+00:00 mpeters wrote: The exploit worked for me w/o a segfault on i386 Duron ( kernel-2.6.18-53.1.6.el5 ) and x86_64 Athlon X2 (5200+ - same kernel but x86_64 install) on i386 it did not consistently work, and I'm guessing related, the machine had to be rebooted as it kept dropping ssh connections after the exploit was run. Both boxes are CentOS (opposed to RHEL) if it matters. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/63 ------------------------------------------------------------------------ On 2008-02-11T16:44:06+00:00 donhoover wrote: I verified it working on RHEL5 and RHEL 5.1 32bit boxes using both the older and newer -53 kernels in both single and SMP installs. The exploit does seem to make the systems unstable and they have crashed after running a little longer after someone uses this exploit. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/67 ------------------------------------------------------------------------ On 2008-02-11T17:06:18+00:00 erek wrote: I've compiled an interim RPM for my internal use, as I considered this safer than the kernel module which has caused panics. It's the same as 2.6.18-53 Centos, but with the upstream kernel patch applied. Obviously your mileage may vary. http://erek.blumenthals.com/blog/2008/02/11/rhel-5-centos-5-kernel-rpms- patched-against-vmsplice-local-root-exploit/ Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/69 ------------------------------------------------------------------------ On 2008-02-11T17:07:40+00:00 erek wrote: That's against 2.6.53.1.6, not 2.6.53 as I said previously. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/70 ------------------------------------------------------------------------ On 2008-02-11T18:14:37+00:00 jakub wrote: Hey boys, Debian has already fixed this, where is Red Hat? Thank you very much. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/75 ------------------------------------------------------------------------ On 2008-02-11T18:18:09+00:00 mattdm wrote: > Hey boys, Debian has already fixed this, where is Red Hat? Thank you very much. Doing quality control on the produced updates, presumably. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/76 ------------------------------------------------------------------------ On 2008-02-11T18:29:56+00:00 admin wrote: RHAT had it fixed on 2/8 see the .79 kernel in: http://people.redhat.com/dzickus/el5/79.el5 I tested it on i686 and was unable to use millw0rm exploit 5092 or 5093. it also fixes another NFS issue from bug 431092. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/77 ------------------------------------------------------------------------ On 2008-02-11T18:54:39+00:00 amyagi wrote: (In reply to comment #31) > RHAT had it fixed on 2/8 see the .79 kernel in: > > http://people.redhat.com/dzickus/el5/79.el5 > > I tested it on i686 and was unable to use millw0rm exploit 5092 or 5093. it > also > fixes another NFS issue from bug 431092. However, keep in mind that it is a TEST kernel. The .78 kernel I tested and confirmed about the nfs fix is UNstable and some people are experiencing system instability / crashes. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.22/+bug/190587/comments/79 ------------------------------------------------------------------------ On 2008-02-11T18:56:59+00:00 mjc wrote: The Red Hat Security Response Team is working with engineering and QA on the updated packages for Red Hat Enterprise Linux 5. We'll release them immediately to the Red Hat Network once they pass our testing and QA processes. (Updated Fedora kernels are currently being pushed live and will be available soon) Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.22/+bug/190587/comments/80 ------------------------------------------------------------------------ On 2008-02-11T22:01:43+00:00 donhoover wrote: The system tap does not seem to catch/deny every run of the exploit in my testing. They all seem to get logged, but many of them still get a root prompt. The system is also still unstable, and either the exploit running multiple times or the system tap eventually cause a kernel crash. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/91 ------------------------------------------------------------------------ On 2008-02-12T00:03:12+00:00 jkmoseley wrote: (In reply to comment #16) > (In reply to comment #13) > > @Ryan, make sure you have kernel-PAE-devel installed, and then undo your > > Makefile path changes. The modules compile and insmod properly for me. Thanks, > > Ola! > Perfect, that did the trick - had not realized there was a specific pae-devel > package. I was able to successfully compile the module on a FC5 system, but when trying to add via insmod, I get: insmod: error inserting 'ptpatch2008.ko': -1 Operation not permitted Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/94 ------------------------------------------------------------------------ On 2008-02-12T01:40:54+00:00 fche wrote: (In reply to comment #36) > The system tap does not seem to catch/deny every run of the exploit in my > testing. They all seem to get logged, but many of them still get a root > prompt. The systemtap script proposed in comment #35 is a poor choice, so is now hidden in order to avoid misleading the public. It interfered with multiple functions in fs/splice.c, and did not actually block the vmsplice attempt but rather just attempt to log and punish it. If you have the prerequisites for this tool though, try the simpler script listed in bug #432229 comment #17. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.22/+bug/190587/comments/96 ------------------------------------------------------------------------ On 2008-02-12T14:44:31+00:00 mjc wrote: Just a quick status update; we have updated kernel packages released for Fedora (see linked bugs) and are finishing up the QA process for Red Hat Enterprise Linux 5. We expect this to be completed shortly (pending successful completion of testing). This will be RHSA-2008:0129. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/103 ------------------------------------------------------------------------ On 2008-02-12T16:57:07+00:00 mjc wrote: This vulnerability, CVE-2008-0600, did not affect Red Hat Enterprise Linux 2.1, 3, or 4. Updated packages to correct this vulnerability are now available for Red Hat Enterprise Linux along with our advisory at the URL: https://rhn.redhat.com/errata/RHSA-2008-0129.html Since all Red Hat and Fedora products are not updated, closing the bug. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/105 ------------------------------------------------------------------------ On 2008-03-06T18:55:22+00:00 lwang wrote: *** Bug 432319 has been marked as a duplicate of this bug. *** Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/119 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/190587 Title: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) Status in Linux: Fix Released Status in Ubuntu: Fix Released Status in gplcver package in Ubuntu: Invalid Status in linux package in Ubuntu: Fix Released Status in linux-source-2.6.15 package in Ubuntu: Invalid Status in linux-source-2.6.17 package in Ubuntu: Fix Released Status in linux-source-2.6.20 package in Ubuntu: Fix Released Status in linux-source-2.6.22 package in Ubuntu: Fix Released Status in CentOS: Fix Released Status in Debian: Fix Released Status in linux package in Fedora: Fix Released Status in Gentoo Linux: Fix Released Status in Mandriva: Fix Released Bug description: https://bugs.gentoo.org/show_bug.cgi?id=209460 works on at least Hardy 2.6.24-7, Edgy 2.6.17-12, but not on Feisty 2.6.20-16. To manage notifications about this bug go to: https://bugs.launchpad.net/linux/+bug/190587/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
