[CentOS-devel] heads up: CVE-2008-0600 kernel root exploit

Mon Feb 11 16:28:11 UTC 2008
Charlie Brady <charlieb-centos-devel at budge.apana.org.au>

On Sun, 10 Feb 2008, Matthew Miller wrote:

> On Sun, Feb 10, 2008 at 07:17:27PM -0600, Baird, Josh wrote:
>> It actually made my 2.6.18-53.1.4.el5 x86 box panic.
>
> Yeah, me too. So that's arguably less severe, but still no good.

A tweak of the exploit will make it work on x86_64 rather than cause 
kernel panic (https://bugzilla.redhat.com/show_bug.cgi?id=432251#c23).

Proposed patch is already in upstream bug tracker 
(https://bugzilla.redhat.com/show_bug.cgi?id=432251#c6)

diff -urN linux-2.6.18.x86_64/fs/splice.c linux-2.6.18.x86_64-fix/fs/splice.c
--- linux-2.6.18.x86_64/fs/splice.c     2008-02-10 11:08:19.000000000 -0500
+++ linux-2.6.18.x86_64-fix/fs/splice.c 2008-02-10 11:31:06.000000000 -0500
@@ -1154,6 +1154,9 @@
                 if (unlikely(!base))
                         break;

+               if (unlikely(!access_ok(VERIFY_READ, base, len)))
+                       break;
+
                 /*
                  * Get this base offset and number of pages, then map
                  * in the user pages.