Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)
On Sun, Feb 10, 2008 at 01:00:33PM +0100, Bastian Blank wrote:
> On Sun, Feb 10, 2008 at 03:19:20AM +0300, Okulov Vitaliy wrote:
> > Just try explot from http://www.milw0rm.com/exploits/5092 at my
> > linux-image-2.6.18-5-686 kernel. And it works. Please backport patch
> > from 2.6.24.1 kernel (CVE-2008-0009/10).
> Preliminary patch, it includes more checks then the update in 2.6.24.1.
I made i386 and amd64 images which includes the patch. You can get them
on http://134.2.34.20/blank/debian/linux-2.6/. The checksums are
attached.
Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)
On Sun, Feb 10, 2008 at 02:43:23PM +0100, Bastian Blank wrote:
> On Sun, Feb 10, 2008 at 01:00:33PM +0100, Bastian Blank wrote:
> > On Sun, Feb 10, 2008 at 03:19:20AM +0300, Okulov Vitaliy wrote:
> > > Just try explot from http://www.milw0rm.com/exploits/5092 at my
> > > linux-image-2.6.18-5-686 kernel. And it works. Please backport patch
> > > from 2.6.24.1 kernel (CVE-2008-0009/10).
> > Preliminary patch, it includes more checks then the update in 2.6.24.1.
> I made i386 and amd64 images which includes the patch. You can get them
> on http://134.2.34.20/blank/debian/linux-2.6/. The checksums are
> attached.
Final version, 2.6.18.dfsg.1-18etch1. Nothing from securityteam.
On Sun, Feb 10, 2008 at 03:19:20AM +0300, Okulov Vitaliy wrote:
> Just try explot from http://www.milw0rm.com/exploits/5092 at my
> linux-image-2.6.18-5-686 kernel. And it works. Please backport patch
> from 2.6.24.1 kernel (CVE-2008-0009/10).
Preliminary patch, it includes more checks then the update in 2.6.24.1.
Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)
* Bastian Blank:
> diff --git a/fs/splice.c b/fs/splice.c
> index 684bca3..2d7e598 100644
> --- a/fs/splice.c
> +++ b/fs/splice.c
> @@ -1122,6 +1122,11 @@ static int get_iovec_page_array(const struct iovec __user *iov,
> size_t len;
> int i;
>
> + if (!access_ok(VERIFY_READ, iov, sizeof(struct iovec))) {
> + error = -EFAULT;
> + break;
> + }
> +
> /*
> * Get user address base and length for this iovec.
> */
For the record, the above hunk is unnecessary because the get_user()
calls which immediately follow the quoted code perform implict
access_ok() checks. CVE-2008-0010 does NOT apply to our 2.6.18 kernel
(but the additional access_ok() call doesn't cause any harm, either).
I'm writing this because some vendors have released pre-2.6.23 patches
without this hunk, and I don't want to create impression they are still
vulnerable.
--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
02-12-2008, 05:26 PM
Bastian Blank
Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)
On Tue, Feb 12, 2008 at 07:01:58PM +0100, Florian Weimer wrote:
> For the record, the above hunk is unnecessary because the get_user()
> calls which immediately follow the quoted code perform implict
> access_ok() checks. CVE-2008-0010 does NOT apply to our 2.6.18 kernel
> (but the additional access_ok() call doesn't cause any harm, either).
Looks like I missread a comment. I rechecked it and it does the check.
Bastian
--
No problem is insoluble.
-- Dr. Janet Wallace, "The Deadly Years", stardate 3479.4
--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)
