| View previous topic :: View next topic |
| Author |
Message |
BitJam
Advocate
Joined: 12 Aug 2003
Posts: 2513
Location: Silver City, NM
|
 Posted: Sun Feb 10, 2008 9:35 pm Post subject: Linux Kernel 2.6 Local Root Exploit |
 |
|
Slashdot story.
The exploit works on my amd64 system with a 2.6.23-gentoo-r3 kernel. |
|
| Back to top |
|
 |
knifeyspoony
n00b
Joined: 01 Jun 2005
Posts: 70
|
| Posted: Sun Feb 10, 2008 9:42 pm Post subject: vmsplice local root exploit |
|
|
Today's slashdot brings news of an exploit in the wild for kernels 2.6.17 to 2.6.24.1. The workaround is to compile a kernel without vmsplice support.
I can't find a option in my 2.6.22 .config explicitly for vmsplice. Anyone know where to find it? |
|
| Back to top |
|
|
Voltago
Advocate
Joined: 02 Sep 2003
Posts: 2593
Location: userland
|
|
| Back to top |
|
|
nixnut
Bodhisattva
Joined: 09 Apr 2004
Posts: 10974
Location: the dutch mountains
|
| Posted: Sun Feb 10, 2008 10:00 pm Post subject: |
|
|
First you can check if you are indeed vulnerable. Then you can either apply the patch posted here or simply make sure you have no untrusted local users (disable ssh access for example) and wait until patched kernel sources make it into portage. Since this is a pretty nasty issue you can expect that within days I'd say.
Edit: in fact, it's already commited: http://packages.gentoo.org/package/sys-kernel/gentoo-sources/
| Quote: | *gentoo-sources-2.6.24-r1 (10 Feb 2008)
10 Feb 2008; Daniel Drake (dsd)
+gentoo-sources-2.6.24-r1.ebuild:
Update to Linux 2.6.24.1, includes important vmsplice() security fix. |
Also fixed is 2.6.23 with gentoo-sources-2.6.23-r7.ebuild
_________________
Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered
talk is cheap. supply exceeds demand |
|
| Back to top |
|
|
Timberwolves
n00b
Joined: 27 Dec 2004
Posts: 18
Location: Texas
|
|
| Back to top |
|
|
platojones
Veteran
Joined: 23 Oct 2002
Posts: 1602
Location: Just over the horizon
|
| Posted: Sun Feb 10, 2008 10:10 pm Post subject: |
|
|
| Wow, glad you where snooping around /. today. My kernel was wide open to this thing. 5 min later, made the 1 line source file change, recompiled the kernel and voila....that one is gone. |
|
| Back to top |
|
|
platojones
Veteran
Joined: 23 Oct 2002
Posts: 1602
Location: Just over the horizon
|
| Posted: Sun Feb 10, 2008 10:11 pm Post subject: |
|
|
| BTW, I just tested that fix and it works. |
|
| Back to top |
|
|
ksool
Guru
Joined: 27 May 2006
Posts: 337
Location: Cambridge, MA
|
| Posted: Sun Feb 10, 2008 11:39 pm Post subject: |
|
|
| Any word on what config option includes vmsplice? |
|
| Back to top |
|
|
dsd
Developer
Joined: 30 Mar 2003
Posts: 2162
Location: nr London
|
| Posted: Sun Feb 10, 2008 11:47 pm Post subject: |
|
|
there is no way to disable vmsplice in your .config
you can disable it quite easily by modifying the kernel source, open fs/splice.c, search for sys_vmsplice() and then make the following modification to the function:
| Quote: |
asmlinkage long sys_vmsplice(int fd, const struct iovec __user *iov,
unsigned long nr_segs, unsigned int flags)
{
struct file *file;
long error;
int fput;
/* ADD THE LINE BELOW */
return -EINVAL;
if (unlikely(nr_segs > UIO_MAXIOV))
return -EINVAL;
|
(untested)
the situation is quite confusing as there have actually been three security bugs classified with the vmsplice() implementation, which are solved by 2 patches (so let's just call them 2 issues)
the first security issue was introduced as of 2.6.23 (so was not exploitable on 2.6.22 or older), and has been fixed as of gentoo-sources-2.6.23-r7 / linux 2.6.23.15 / gentoo-sources-2.6.24-r1 / linux 2.6.24.1
the second security issue has existed since 2.6.17. this is not fixed by the above kernel releases. it will be fixed in gentoo-sources-2.6.23-r8 and 2.6.24-r2 which are flowing through the release pipeline as we speak. heres the patch (for both 2.6.23 and 2.6.24) in the meantime: http://dev.gentoo.org/~dsd/genpatches/trunk/2.6.24/1400_vmsplice-user-pointer.patch
(update: those kernels with that patch are now in portage)
there is no official upstream released kernel that fixes this bug yet. 2.6.24.1 is still vulnerable to the second security issue.
both issues allow the user to modify kernel memory, which means its possible to crash the machine or become root.
when it appears in portage, general success reports of gentoo-sources-2.6.23-r8 would be highly appreciated as we will mark it stable a few hours after release, and there have been some other changes since the last stable version too (want to be sure we haven't added any obvious widespread issues)
_________________
http://dev.gentoo.org/~dsd
Last edited by dsd on Mon Feb 11, 2008 12:33 am; edited 1 time in total |
|
| Back to top |
|
|
dsd
Developer
Joined: 30 Mar 2003
Posts: 2162
Location: nr London
|
| Posted: Mon Feb 11, 2008 12:06 am Post subject: |
|
|
gentoo-sources-2.6.23-r8 and gentoo-sources-2.6.24-r2 are now in portage which solve both of the security issues. i'm particularly interested in success reports for the 2.6.23 release which will be marked stable when i get up in 8 hours time
it'll probably take about 30 minutes before these ebuilds appear in your "emerge --sync"
_________________
http://dev.gentoo.org/~dsd
Last edited by dsd on Mon Feb 11, 2008 12:16 am; edited 1 time in total |
|
| Back to top |
|
|
rlittle
Apprentice
Joined: 17 Dec 2003
Posts: 200
|
| Posted: Mon Feb 11, 2008 12:09 am Post subject: |
|
|
I've unmasked gentoo-sources-2.6.24-r1, synced, downloaded, recompiled and installed the new kernel, and I still have the vulnerability.
I suppose I'm looking for 2.6.24.1?
_________________
I need a better signature... |
|
| Back to top |
|
|
BitJam
Advocate
Joined: 12 Aug 2003
Posts: 2513
Location: Silver City, NM
|
| Posted: Mon Feb 11, 2008 12:14 am Post subject: |
|
|
| You have to wait for the -r2 version to migrate to the mirrors. |
|
| Back to top |
|
|
asdx
n00b
Joined: 29 May 2006
Posts: 28
|
| Posted: Mon Feb 11, 2008 1:41 am Post subject: |
|
|
| 2.6.25-rc1 just come out now, this release fixes the vulnerability. |
|
| Back to top |
|
|
CyberFoxx
n00b
Joined: 31 Jan 2006
Posts: 25
|
| Posted: Mon Feb 11, 2008 2:14 am Post subject: |
|
|
| Well, I just hope this gets patched in the tuxonice-sources soon as well. |
|
| Back to top |
|
|
NightMonkey
Guru
Joined: 21 Mar 2003
Posts: 357
Location: Philadelphia, PA
|
| Posted: Mon Feb 11, 2008 8:30 am Post subject: |
|
|
| Quote: | the second security issue has existed since 2.6.17. this is not fixed by the above kernel releases. it will be fixed in gentoo-sources-2.6.23-r8 and 2.6.24-r2 which are flowing through the release pipeline as we speak. heres the patch (for both 2.6.23 and 2.6.24) in the meantime: http://dev.gentoo.org/~dsd/genpatches/trunk/2.6.24/1400_vmsplice-user-pointer.patch
(update: those kernels with that patch are now in portage)
there is no official upstream released kernel that fixes this bug yet. 2.6.24.1 is still vulnerable to the second security issue. |
Will 2.6.22 (or earlier) kernels get the patch as well? I've got a few servers still running .22. Thanks.
_________________
 |
|
| Back to top |
|
|
desultory
Bodhisattva
Joined: 04 Nov 2005
Posts: 9410
|
| Posted: Mon Feb 11, 2008 8:51 am Post subject: |
|
|
| Bear in mind that patching the kernel is not the only way to handle with this problem. |
|
| Back to top |
|
|
dsd
Developer
Joined: 30 Mar 2003
Posts: 2162
Location: nr London
|
| Posted: Mon Feb 11, 2008 9:00 am Post subject: |
|
|
can't speak for other kernels, but there will be no further gentoo-sources-2.6.22 releases so you will have to upgrade or patch it yourself
_________________
http://dev.gentoo.org/~dsd |
|
| Back to top |
|
|
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5956
|
| Posted: Mon Feb 11, 2008 9:05 am Post subject: |
|
|
if you want to patch it by hand you can do this:
take your ebuild and copy it to your local overlay
add this line: (best place is right above pkg_setup)
| Quote: | UNIPATCH_LIST="${FILESDIR}/novmsplice.patch"
|
and download the patch file and put it in /usr/local/portage/sys-kernel/gentoo-sources/files (giving it the name of the .patch file you listed above). oh, and of course, digest, re-emerge and compile.
worked for me on 2.6.18-r6.
cheers
_________________
| Neddyseagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017
Last edited by bunder on Mon Feb 11, 2008 9:08 am; edited 1 time in total |
|
| Back to top |
|
|
blu3bird
Retired Dev
Joined: 04 Oct 2003
Posts: 617
Location: Munich, Germany
|
| Posted: Mon Feb 11, 2008 9:06 am Post subject: |
|
|
| gcc jessica_biel_naked_in_my_bed.c -static -Wno-format wrote: | | jessica_biel_naked_in_my_bed.c:138:2: error: #error "unsupported arch" |
Sometime it's a good think to be on a rarely used arch 
But i better patch my kernel before someone is able to write the nesesarry asm code :>
_________________
Black Holes are created when God divides by zero! |
|
| Back to top |
|
|
tapted
Tux's lil' helper
Joined: 02 Dec 2003
Posts: 122
Location: Sydney, Australia
|
| Posted: Mon Feb 11, 2008 9:30 am Post subject: |
|
|
| dsd wrote: |
when it appears in portage, general success reports of gentoo-sources-2.6.23-r8 would be highly appreciated as we will mark it stable a few hours after release, and there have been some other changes since the last stable version too (want to be sure we haven't added any obvious widespread issues) |
I've updated 5 gentoo machines this way, all were previously vulnerable, all are now not. All are running fine.
I think it's the first time ever my PCs have all had synchronised kernels:
| Code: |
uname -a ; cat /proc/version
Linux daisy 2.6.23-gentoo-r8 #1 SMP Mon Feb 11 12:14:40 EST 2008 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ AuthenticAMD GNU/Linux
Linux version 2.6.23-gentoo-r8 (root@daisy) (gcc version 4.1.2 (Gentoo 4.1.2 p1.0.2)) #1 SMP Mon Feb 11 12:14:40 EST 2008
Linux xx-xxx-0 2.6.23-gentoo-r8 #1 SMP PREEMPT Mon Feb 11 12:31:06 EST 2008 i686 Intel(R) Pentium(R) D CPU 3.00GHz GenuineIntel GNU/Linux
Linux version 2.6.23-gentoo-r8 (root@pc-xxx-x) (gcc version 4.1.2 20070214 ( (gdc 0.24, using dmd 1.020)) (Gentoo 4.1.2 p1.0.2)) #1 SMP PREEMPT Mon Feb 11 12:31:06 EST 2008
Linux xx-xxx-7 2.6.23-gentoo-r8 #1 SMP PREEMPT Mon Feb 11 12:32:32 EST 2008 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz GenuineIntel GNU/Linux
Linux version 2.6.23-gentoo-r8 (root@pc-xxx-x) (gcc version 4.1.2 20070214 ( (gdc 0.23, using dmd 1.007)) (Gentoo 4.1.2 p1.0.1)) #1 SMP PREEMPT Mon Feb 11 12:32:32 EST 2008
Linux xx-xxx-9 2.6.23-gentoo-r8 #1 PREEMPT Mon Feb 11 12:32:09 EST 2008 i686 Intel(R) Pentium(R) 4 CPU 2.53GHz GenuineIntel GNU/Linux
Linux version 2.6.23-gentoo-r8 (root@xx-xxx-x) (gcc version 4.1.2 20070214 ( (gdc 0.23, using dmd 1.007)) (Gentoo 4.1.2)) #1 PREEMPT Mon Feb 11 12:32:09 EST 2008
Linux xx-xxx-1 2.6.23-gentoo-r8 #1 SMP PREEMPT Mon Feb 11 12:32:32 EST 2008 i686 Intel(R) Pentium(R) D CPU 3.00GHz GenuineIntel GNU/Linux
Linux version 2.6.23-gentoo-r8 (root@xx-xxx-x) (gcc version 4.1.2 20070214 ( (gdc 0.24, using dmd 1.020)) (Gentoo 4.1.2 p1.0.2)) #1 SMP PREEMPT Mon Feb 11 12:32:32 EST 2008
|
All done with
| Code: | emerge --sync
echo '=sys-kernel/gentoo-sources-2.6.23-r8' >> /etc/portage/package.keywords
emerge gentoo-sources
(fix symlink, copy .config)
make oldconfig
make && make modules_install && mount /boot && make install && emerge ati-drivers && reboot
|
note: times are Australian EST (GMT +11). i.e. ~8 hours before this post -- go Gentoo, getting this patched so quickly! |
|
| Back to top |
|
|
dsd
Developer
Joined: 30 Mar 2003
Posts: 2162
Location: nr London
|
| Posted: Mon Feb 11, 2008 9:33 am Post subject: |
|
|
thanks, i marked it stable about 30 mins ago
_________________
http://dev.gentoo.org/~dsd |
|
| Back to top |
|
|
Target
Apprentice
Joined: 25 Apr 2002
Posts: 200
|
| Posted: Mon Feb 11, 2008 11:12 am Post subject: |
|
|
Securityfocus report: http://www.securityfocus.com/bid/27704/info
The exploit exits with "Killed" on the hardened environments I've tested it under, save for an Athlon64 box, which kernel panics instead for some reason. |
|
| Back to top |
|
|
baeksu
l33t
Joined: 26 Sep 2004
Posts: 609
Location: Seoul, Korea
|
| Posted: Mon Feb 11, 2008 12:23 pm Post subject: |
|
|
| desultory wrote: | | Bear in mind that patching the kernel is not the only way to handle with this problem. |
I built the module with the makefile and insmod'd it. After that the exploit segfaults (while dumping a very scary message from kernel), so I guess it disables the exploit for now.
Thanks for that, I've patched my server, but won't be able to reboot at least for a few days, so that fix should tide me over until my next 'unscheduled downtime'.
_________________
Gnome:
1. A legendary being.
2. A never ending quest to make unix friendly to people who don't want unix and excruciating for those that do. |
|
| Back to top |
|
|
depontius
Advocate
Joined: 05 May 2004
Posts: 3530
|
| Posted: Mon Feb 11, 2008 1:42 pm Post subject: |
|
|
Any news about a fix for this to hardened-sources?
I control pretty tightly who is able to ssh onto my hardened-sources machines, but I'd still like the fix for this on them.
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
|
albright
Advocate
Joined: 16 Nov 2003
Posts: 2588
Location: Near Toronto
|
| Posted: Mon Feb 11, 2008 2:21 pm Post subject: |
|
|
I find that the exploit will not compile on any of my gentoo machines.
I get these messages:
| Code: | exploit2.c:30:22: error: asm/page.h: No such file or directory
exploit2.c: In function 'main':
exploit2.c:211: error: 'PAGE_SIZE' undeclared (first use in this function)
exploit2.c:211: error: (Each undeclared identifier is reported only once
exploit2.c:211: error: for each function it appears in.)
|
(by some creative linkage I can get rid of the page.h error, but not the other ...)
I'm just curious what's going on here ...
_________________
.... there is nothing - absolutely nothing - half so much worth
doing as simply messing about with Linux ...
(apologies to Kenneth Graeme) |
|
| Back to top |
|
|
|
Kernel & Hardware
