[Users] New kernel vuln...
Konstantin Khorenko
khorenko at openvz.org
Tue Aug 18 09:38:56 EDT 2009
Hi Michael,
> That's nice to know. Good job. But you're doing this somewhere else than in
> net/socket.c I guess? Because net/socket.c took Linus Torvalds patch just fine
> w/o any rejects when I rebuilt 028stab064.4 from your SRPM and patched the
> hole with this:
> ...
you see, your patch fixes the issue http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html
while in 64.4 kernel we have another issue fixed (related, but still another) - it is described at http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html
This is fixed by the following patch: http://patchwork.kernel.org/patch/32598/
Surely we'll include the patch you sent in the next kernel, but we just can do it a little bit later (not ASAP), as current PVC kernel is not vulnerable despite the absence of this patch.
--
Konstantin
On 08/18/2009 05:02 PM, Michael Stauber wrote:
> Hi Konstantin,
>
>> Michael, could you please confirm that you were able to gain root on a
>> kernel before 64.4?
>
> Confirmed. I didn't test 028stab064.4 (which was released just a few days
> prior to the anouncement of the exploit), but tested older kernels. With the
> following kernels I could get root access on the master node with the exploit,
> but not inside a VE:
>
> CentOS5:
> 2.6.18-128.1.1.el5.028stab062.3
> 2.6.18-92.1.18.el5.028stab060.2
> 2.6.18-53.1.19.el5.028stab053.14
>
> CentOS4:
> 2.6.9-023stab043.2 (Very outdated, I know. Last CentOS4 box I have.)
>
> I know, it's an odd mix, but that's what I had running. Production boxes on my
> end usually have new kernels, internal devel boxes are often less frequently
> patched.
>
>> The kernel is immune due to the fact that 64.4 kernel has the bypassing
>> "mmap_min_addr" issue fixed:
>> http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html - description
>> of the problem
>>
>> Exploits for the current issue, in their turn, need this hole to gain root
>> access.
>
> That's nice to know. Good job. But you're doing this somewhere else than in
> net/socket.c I guess? Because net/socket.c took Linus Torvalds patch just fine
> w/o any rejects when I rebuilt 028stab064.4 from your SRPM and patched the
> hole with this:
>
> ----------------------------------------------------------------------
> --- ./net/socket.c 2006-09-19 23:42:06.000000000 -0400
> +++ ./net/socket.c 2009-08-14 19:24:21.000000000 -0400
> @@ -698,7 +698,7 @@
> if (more)
> flags |= MSG_MORE;
>
> - return sock->ops->sendpage(sock, page, offset, size, flags);
> + return kernel_sendpage(sock, page, offset, size, flags);
> }
>
> static struct sock_iocb *alloc_sock_iocb(struct kiocb *iocb,
> ----------------------------------------------------------------------
More information about the Users
mailing list