heads up: CVE-2008-0600 kernel root exploit

List overview All Threads
Download

newer

older

missing two updates in csgfs...

Anaconda improvement for network...

Matthew Miller

10 Feb 2008 10 Feb '08

10:54 p.m.

This has a trivially-available local root exploit code, and is already generating a bit of community panic. I expect we'll be seeing an update RSN.

https://bugzilla.redhat.com/show_bug.cgi?id=432251

-- Matthew Miller mattdm@mattdm.org http://mattdm.org/ Boston University Linux ------> http://linux.bu.edu/

Show replies by date

Baird, Josh

11 Feb 11 Feb

1:17 a.m.

It actually made my 2.6.18-53.1.4.el5 x86 box panic.

Josh

________________________________

From: centos-devel-bounces@centos.org on behalf of Matthew Miller Sent: Sun 2/10/2008 5:54 PM To: The CentOS developers mailing list. Subject: [CentOS-devel] heads up: CVE-2008-0600 kernel root exploit

This has a trivially-available local root exploit code, and is already generating a bit of community panic. I expect we'll be seeing an update RSN.

https://bugzilla.redhat.com/show_bug.cgi?id=432251

-- Matthew Miller mattdm@mattdm.org http://mattdm.org/ Boston University Linux ------> http://linux.bu.edu/ _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org http://lists.centos.org/mailman/listinfo/centos-devel

Jethro Carr

3:18 a.m.

On Sun, 2008-02-10 at 19:17 -0600, Baird, Josh wrote:

...

It actually made my 2.6.18-53.1.4.el5 x86 box panic.

I also had a panic on the 2 boxes I tested the exploit with.

x86 VMware guest running 2.6.18-53.1.6.el5 x86_64 server running 2.6.18-53.1.6.el5 (SMP)

-- Jethro Carr www.jethrocarr.com www.jethrocarr.com/index.php?cms=blog

Matthew Miller

3:29 a.m.

On Sun, Feb 10, 2008 at 07:17:27PM -0600, Baird, Josh wrote:

...

It actually made my 2.6.18-53.1.4.el5 x86 box panic.

Yeah, me too. So that's arguably less severe, but still no good.

-- Matthew Miller mattdm@mattdm.org http://mattdm.org/ Boston University Linux ------> http://linux.bu.edu/

Bent Terp

4:14 a.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

dzickus' testing kernel .78 seems to solve both this and .6's nfs issues - however we're seeing about 50% stability with it: one machine works fine, one crashed twice in 4 days.

/Bent

...PGP SIGNATURE...

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: http://firegpg.tuxfamily.org iQIVAwUBR6/LnoyMFfRCAeEGAQJL5hAAlNAxwttZ3qCQvGHiYl9sG0H+umWDYmWN RqfU3FgiixHalbiYNfR3XpCspfjYVFxGxafb3UvNRJEnxCQylZJkeACJ9hJVRpyY BNs0srtmY0WxxslXXIhY72gP2dK4V1OgHlEiz3ArK9FZHmgcxkBxbm9b79FOVRae Ou1Iir0Qis6E1oLFdZJfHwme00zdfzIsg8iN04Xwu/DbuqlF3gBdpN+Dy8pe0GV3 3oIj0Arq1R6+8JEAQOFzUDTOKPX2QKJyzI2gLXpodXfpdFrBoq8PusGEm+ppNOZi iFhoXzeeS1tcSjwJBjWiiDI09UuuFHhZZe2iKWzjPKEc62AfU+7eqZFQdTfa4OBK 3Bk7lu7ojPQ2io0gA4cFFMgD3OLqKpmMmZBllWYsNOrFWiIARzR0Kb+PoNF3VReG 6lpp/QfdNeoeCDpd6GVJOZsss2Ggf0ZRf8JwVvGwrgqcmsoFV/QdTx34FwPGZt7l +tQiJKfGXUh9wn2dERyEKR4uPXg4uFajat0Qk1MGzjc0mnO09IwxMR90/0jsvArE skaQn/aSRiGsyblhKISl9O5vYzIJNCyWnIfKLFevZG+Vj0r7sIRXW/WJgaOxVnUE ndtaVH8m3Q7mYbLzJl4MmofMjrGfvAijiGNIPvdS29Ixa1sg7apRmDl1i9StfK+7 +Tr4BG+QZ1k= =JC+v -----END PGP SIGNATURE-----

Charlie Brady

4:28 p.m.

On Sun, 10 Feb 2008, Matthew Miller wrote:

...

On Sun, Feb 10, 2008 at 07:17:27PM -0600, Baird, Josh wrote:

...
It actually made my 2.6.18-53.1.4.el5 x86 box panic.

Yeah, me too. So that's arguably less severe, but still no good.

A tweak of the exploit will make it work on x86_64 rather than cause kernel panic (https://bugzilla.redhat.com/show_bug.cgi?id=432251#c23).

Proposed patch is already in upstream bug tracker (https://bugzilla.redhat.com/show_bug.cgi?id=432251#c6)

diff -urN linux-2.6.18.x86_64/fs/splice.c linux-2.6.18.x86_64-fix/fs/splice.c --- linux-2.6.18.x86_64/fs/splice.c 2008-02-10 11:08:19.000000000 -0500 +++ linux-2.6.18.x86_64-fix/fs/splice.c 2008-02-10 11:31:06.000000000 -0500 @@ -1154,6 +1154,9 @@ if (unlikely(!base)) break;

+ if (unlikely(!access_ok(VERIFY_READ, base, len))) + break; + /* * Get this base offset and number of pages, then map * in the user pages.

6128

Age (days ago)

6129

Last active (days ago)

devel@lists.centos.org

5 comments

5 participants

tags (0)

participants (5)

Baird, Josh
Bent Terp
Charlie Brady
Jethro Carr
Matthew Miller