Bug 432344
Summary: | OOPs because of trying CVE-2008-0009/10 exploit | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Martin Jürgens <ma> |
Component: | kernel | Assignee: | Kernel Maintainer List <kernel-maint> |
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 8 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | kernel-2.6.23.15-137.fc8 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-02-12 15:03:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Martin Jürgens
2008-02-11 14:03:10 UTC
This oops successfully reproduced when running the exploit for CVE-2008-0010 on 2.6.23.14-115.fc8. Steps to reproduce: 1, adduser testuser 2, passwd testuser 3, su testuser 4, get exploit from http://www.milw0rm.com/exploits/5093 5, cc exploit.c -o exploit 6, [testuser@nec-em7 tmp]$ ./exploit The result: # BUG: unable to handle kernel paging request at virtual address 007a5319 printing eip: 08048919 *pde = 00000000 Oops: 0000 [#1] SMP Modules linked in: rfcomm l2cap bluetooth autofs4 sunpc ipv6 loop dm_multipath pcspkr iTCO_wdt iTCO_vendor_support i2c_i801 i2c_core i5000_edac edac_core button e1000 sg dm_snapshot dm_zero dm_mirror dm_mod mptsas mptscsih mptbase scsi_transport_sas sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohcihcd ehci_hcd CPU: 3 EIP: 0060:[<08048919>] Not tainted VLI EFLAGS: 00210293 (2.6.23.14-115.fc8 #1) EIP is at 0x8048919 eax: 007a5319 ebx: 00007a69 ecx: 080488f1 edx: 000000d8 esi: 00000002 edi: 00000003 ebp: f65b9fac esp: f65b9f98 ds: 007b s: 007b fs: 00d8 gs: 0033 ss: 0068 Process exploit (pid: 2482, ti=f65b9000 task=f7716c20 task.ti=f65b9000) Stack: c0481dfc 00000000 007a5319 007a5319 00007a69 f65b9000 c04203d9 c040518a 00007a69 080488f1 00000001 00000002 0000003 00000004 00000071 0000007b 0000007b c0610000 00000071 0012d402 00000073 00200207 bff5b138 0000007b Call Trace: [<c0481dfc>] sys_write+0x41/0x67 [<c04203d9>] sys_vm86old+0x12/0x75 [<c040518a>] syscall_call+0x7/0xb [<c060000>] xfrm_alloc_spi+0xe/0x158 ======================= Code: Bad EIP value. EIP: [<08048919>] 0x8048919 SS:ESP 0068:f65b9f98 Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: Oops: 0000 [#1] SMP Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: CPU: 3 Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: EIP: 0060:[<08048919>] Not tainted VLI Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: EFLAGS: 00210293 (2.6.23.14-115.fc8 #1) Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: EIP is at 0x8048919 Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: eax: 007a5319 ebx: 00007a69 ecx: 080488f1 edx: 000000d8 Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: esi: 00000002 edi: 00000003 ebp: f65b9fac esp: f65b9f98 Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: ds: 007b es: 007b fs: 00d8 gs: 0033 ss: 0068 Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: Process exploit (pid: 2482, ti=f65b9000 task=f7716c20 task.ti=f65b9000) Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: Stack: c0481dfc 00000000 007a5319 007a5319 00007a69 f65b9000 c04203d9 c040518a Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: 00007a69 080488f1 00000001 00000002 00000003 00000004 00000071 0000007b Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: 0000007b c0610000 00000071 0012d402 00000073 00200207 bff5b138 0000007b Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: Call Trace: Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: [<c0481dfc>] sys_write+0x41/0x67 Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: [<c04203d9>] sys_vm86old+0x12/0x75 Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: [<c040518a>] syscall_call+0x7/0xb Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: [<c0610000>] xfrm_alloc_spi+0xe/0x158 Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: ======================= Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: Code: Bad EIP value. Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: EIP: [<08048919>] 0x8048919 SS:ESP 0068:f65b9f98 By this kernel oopses "only" the "exploit" process -- after pressing "Enter" the command line "returns". The oops succcesfully reproduced ALSO for the 2.6.23.1-42.fc8 version of the kernel. Here after the repeating the above steps one experiences the "complete kernel oops" -- you need to reboot the system :o(. Have also tried also the latest (kernel-2.6.23.15-137.fc8) -- NO OOPS appears (seems to be fixed && working). The kernel versions < than kernel-2.6.23.15-137.fc8 were vulnerable to the CVE-2008-0010, but kernel-2.6.23.15-137.fc8 fixes it -> No issue anymore there. Closing then :) |