[Users] New kernel vuln...

Konstantin Khorenko khorenko at openvz.org
Tue Aug 18 09:38:56 EDT 2009 

Hi Michael,

> That's nice to know. Good job. But you're doing this somewhere else than in
> net/socket.c I guess? Because net/socket.c took Linus Torvalds patch just fine
> w/o any rejects when I rebuilt 028stab064.4 from your SRPM and patched the
> hole with this:
> ...

you see, your patch fixes the issue http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html
while in 64.4 kernel we have another issue fixed (related, but still another) - it is described at http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html
This is fixed by the following patch: http://patchwork.kernel.org/patch/32598/

Surely we'll include the patch you sent in the next kernel, but we just can do it a little bit later (not ASAP), as current PVC kernel is not vulnerable despite the absence of this patch.

--
Konstantin

On 08/18/2009 05:02 PM, Michael Stauber wrote:
> Hi Konstantin,
> 
>> Michael, could you please confirm that you were able to gain root on a
>> kernel before 64.4?
> 
> Confirmed. I didn't test 028stab064.4 (which was released just a few days 
> prior to the anouncement of the exploit), but tested older kernels. With the 
> following kernels I could get root access on the master node with the exploit, 
> but not inside a VE:
> 
> CentOS5:
> 2.6.18-128.1.1.el5.028stab062.3
> 2.6.18-92.1.18.el5.028stab060.2
> 2.6.18-53.1.19.el5.028stab053.14
> 
> CentOS4:
> 2.6.9-023stab043.2 (Very outdated, I know. Last CentOS4 box I have.)
> 
> I know, it's an odd mix, but that's what I had running. Production boxes on my 
> end usually have new kernels, internal devel boxes are often less frequently 
> patched.
> 
>> The kernel is immune due to the fact that 64.4 kernel has the bypassing
>> "mmap_min_addr" issue fixed:
>> http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html - description
>> of the problem
>>
>> Exploits for the current issue, in their turn, need this hole to gain root
>> access.
> 
> That's nice to know. Good job. But you're doing this somewhere else than in 
> net/socket.c I guess? Because net/socket.c took Linus Torvalds patch just fine 
> w/o any rejects when I rebuilt 028stab064.4 from your SRPM and patched the 
> hole with this: 
> 
> ----------------------------------------------------------------------
> --- ./net/socket.c      2006-09-19 23:42:06.000000000 -0400
> +++ ./net/socket.c      2009-08-14 19:24:21.000000000 -0400
> @@ -698,7 +698,7 @@
>         if (more)
>                 flags |= MSG_MORE;
> 
> -       return sock->ops->sendpage(sock, page, offset, size, flags);
> +       return kernel_sendpage(sock, page, offset, size, flags);
>  }
> 
>  static struct sock_iocb *alloc_sock_iocb(struct kiocb *iocb,
> ----------------------------------------------------------------------

More information about the Users mailing list