From: Bastian Blank <[email protected]>
The commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
pointer access verification") added access_ok() to copy_from_user_mmap_sem()
which only ensures we can copy the struct iovecs from userspace to the kernel
but we also must check whether we can access the actual memory region pointed
to by the struct iovec to close the local root exploit.
Cc: <[email protected]>
Cc: Jens Axboe <[email protected]>
Cc: Andrew Morton <[email protected]>
Signed-off-by: Pekka Enberg <[email protected]>
---
Bastian, can I have your Signed-off-by for this, please? Oliver, Niki, can
you please confirm this closes the hole?
fs/splice.c | 3 +++
1 file changed, 3 insertions(+)
Index: linux-2.6/fs/splice.c
===================================================================
--- linux-2.6.orig/fs/splice.c
+++ linux-2.6/fs/splice.c
@@ -1237,6 +1237,9 @@ static int get_iovec_page_array(const st
if (unlikely(!base))
break;
+ if (unlikely(!access_ok(VERIFY_READ, base, len)))
+ break;
+
/*
* Get this base offset and number of pages, then map
* in the user pages.
On Sun, Feb 10, 2008 at 04:47:57PM +0200, Pekka J Enberg wrote:
> From: Bastian Blank <[email protected]>
>
> The commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
> pointer access verification") added access_ok() to copy_from_user_mmap_sem()
> which only ensures we can copy the struct iovecs from userspace to the kernel
> but we also must check whether we can access the actual memory region pointed
> to by the struct iovec to close the local root exploit.
>
> Cc: <[email protected]>
> Cc: Jens Axboe <[email protected]>
> Cc: Andrew Morton <[email protected]>
> Signed-off-by: Pekka Enberg <[email protected]>
Signed-off-by: Bastian Blank <[email protected]>
> Index: linux-2.6/fs/splice.c
> ===================================================================
> --- linux-2.6.orig/fs/splice.c
> +++ linux-2.6/fs/splice.c
> @@ -1237,6 +1237,9 @@ static int get_iovec_page_array(const st
> if (unlikely(!base))
> break;
>
> + if (unlikely(!access_ok(VERIFY_READ, base, len)))
> + break;
> +
> /*
> * Get this base offset and number of pages, then map
> * in the user pages.
--
Those who hate and fight must stop themselves -- otherwise it is not stopped.
-- Spock, "Day of the Dove", stardate unknown
Signed-off-by: Oliver Pinter <[email protected]>
----8<----
Linux pancs 2.6.22.17-opt2-cve2 #1 SMP Sun Feb 10 16:22:37 CET 2008
i686 GNU/Linux
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f2d000 .. 0xb7f5f000
[-] vmsplice: Bad address
-----
oliver@pancs:/tmp$ uname -a && ./2623_2624_root_exploit
Linux pancs 2.6.22.17-opt2-cve2 #1 SMP Sun Feb 10 16:22:37 CET 2008
i686 GNU/Linux
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] addr: 0xc01112e9
[-] wtf
---->8----
On 2/10/08, Bastian Blank <[email protected]> wrote:
> On Sun, Feb 10, 2008 at 04:47:57PM +0200, Pekka J Enberg wrote:
> > From: Bastian Blank <[email protected]>
> >
> > The commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
> > pointer access verification") added access_ok() to
> copy_from_user_mmap_sem()
> > which only ensures we can copy the struct iovecs from userspace to the
> kernel
> > but we also must check whether we can access the actual memory region
> pointed
> > to by the struct iovec to close the local root exploit.
> >
> > Cc: <[email protected]>
> > Cc: Jens Axboe <[email protected]>
> > Cc: Andrew Morton <[email protected]>
> > Signed-off-by: Pekka Enberg <[email protected]>
> Signed-off-by: Bastian Blank <[email protected]>
>
> > Index: linux-2.6/fs/splice.c
> > ===================================================================
> > --- linux-2.6.orig/fs/splice.c
> > +++ linux-2.6/fs/splice.c
> > @@ -1237,6 +1237,9 @@ static int get_iovec_page_array(const st
> > if (unlikely(!base))
> > break;
> >
> > + if (unlikely(!access_ok(VERIFY_READ, base, len)))
> > + break;
> > +
> > /*
> > * Get this base offset and number of pages, then map
> > * in the user pages.
>
> --
> Those who hate and fight must stop themselves -- otherwise it is not
> stopped.
> -- Spock, "Day of the Dove", stardate unknown
>
--
Thanks,
Oliver
On Sun, Feb 10, 2008 at 04:47:57PM +0200, Pekka J Enberg wrote:
> From: Bastian Blank <[email protected]>
>
> The commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
> pointer access verification") added access_ok() to copy_from_user_mmap_sem()
> which only ensures we can copy the struct iovecs from userspace to the kernel
> but we also must check whether we can access the actual memory region pointed
> to by the struct iovec to close the local root exploit.
>
> Cc: <[email protected]>
> Cc: Jens Axboe <[email protected]>
> Cc: Andrew Morton <[email protected]>
> Signed-off-by: Pekka Enberg <[email protected]>
> ---
> Bastian, can I have your Signed-off-by for this, please? Oliver, Niki, can
> you please confirm this closes the hole?
Pekka, I confirm that it also closes the hole once backported to 2.6.22.
Willy
Linux pancs 2.6.22.17-opt2-cve2 #1 SMP Sun Feb 10 16:22:37 CET 2008
i686 GNU/Linux
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f95000 .. 0xb7fc7000
[-] vmsplice: Bad address
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] addr: 0xc01112e9
[-] wtf
the patch is good for 2.6.22.y
On 2/11/08, Willy Tarreau <[email protected]> wrote:
> On Sun, Feb 10, 2008 at 04:47:57PM +0200, Pekka J Enberg wrote:
> > From: Bastian Blank <[email protected]>
> >
> > The commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
> > pointer access verification") added access_ok() to
> copy_from_user_mmap_sem()
> > which only ensures we can copy the struct iovecs from userspace to the
> kernel
> > but we also must check whether we can access the actual memory region
> pointed
> > to by the struct iovec to close the local root exploit.
> >
> > Cc: <[email protected]>
> > Cc: Jens Axboe <[email protected]>
> > Cc: Andrew Morton <[email protected]>
> > Signed-off-by: Pekka Enberg <[email protected]>
> > ---
> > Bastian, can I have your Signed-off-by for this, please? Oliver, Niki, can
> > you please confirm this closes the hole?
>
> Pekka, I confirm that it also closes the hole once backported to 2.6.22.
>
> Willy
>
>
--
Thanks,
Oliver
Kudos to all involved in the rapid response. But.
Information on patching this vulnerability is not available front and
center in many of the places you would expect: kernel.org front page,
debian.org front page, covered on planet.debian.org but without a
pointer to the patch, and so on. So this post provides a subject line
for Google to find, and for good measure mentions the word
vulnerability.
Also,
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953
I think many users would first go to kernel.org on a day like today, as
I did. Nothing to see there. We could do a way better job of getting
the word out.
Patch attached as posted above by Pekka. For the mortals among us:
cd linux-2.6.recent && patch <fix.vmsplice.exploit.patch -p1
Regards,
Daniel
On Sun, Feb 10, 2008 at 11:29:50PM -0800, Daniel Phillips wrote:
> Kudos to all involved in the rapid response. But.
>
> Information on patching this vulnerability is not available front and
> center in many of the places you would expect: kernel.org front page,
> debian.org front page, covered on planet.debian.org but without a
> pointer to the patch, and so on. So this post provides a subject line
> for Google to find, and for good measure mentions the word
> vulnerability.
All currently active Linux kernel versions are now released with a fix
for this problem. We have released them through our normal channels,
with the needed information as to what the problem is, a pointer to the
CVE number, and the patch itself.
I don't think there's much more we need to do here, do you?
thanks,
greg k-h
Hi Daniel,
On Feb 11, 2008 9:29 AM, Daniel Phillips <[email protected]> wrote:
> I think many users would first go to kernel.org on a day like today, as
> I did. Nothing to see there. We could do a way better job of getting
> the word out.
Any suggestions what I could have done better here? As soon as Linus
merged the patch, I sent it to [email protected] and expected
information to spread from there. I did also follow up on some vendor
bugzillas (Debian, RHEL, Fedora) to make sure they were aware of the
merged patch (they were).
Pekka
On Sunday 10 February 2008 23:49, Pekka Enberg wrote:
> Hi Daniel,
>
> On Feb 11, 2008 9:29 AM, Daniel Phillips <[email protected]> wrote:
> > I think many users would first go to kernel.org on a day like
> > today, as I did. Nothing to see there. We could do a way better
> > job of getting the word out.
>
> Any suggestions what I could have done better here?
You did your part flawlessly as far as I can see. Really, your original
subject line was accurate, and lkml should not be the place to go to
find the patch, but it is.
> As soon as Linus
> merged the patch, I sent it to [email protected] and expected
> information to spread from there. I did also follow up on some vendor
> bugzillas (Debian, RHEL, Fedora) to make sure they were aware of the
> merged patch (they were).
And they are no doubt getting kernel revs out at this very moment, that
part of the machine works great. It is just the part about getting out
information to users who want to patch their own kernels that could be
done better.
Regards,
Daniel
On Sunday 10 February 2008 23:53, Greg KH wrote:
> I don't think there's much more we need to do here, do you?
No amount of information about such a thing is too much information. We
do not need to do any more, but we can do more.
It is news, how about an entry in the kernel.org news section? How
about a security alerts section on kernel.org? There is a lot that can
be done to support people who want to patch their kernels as quickly as
possible.
Regards,
Daniel