Bug 432344

Summary:	OOPs because of trying CVE-2008-0009/10 exploit
Product:	[Fedora] Fedora	Reporter:	Martin Jürgens <ma>
Component:	kernel	Assignee:	Kernel Maintainer List <kernel-maint>
Status:	CLOSED DUPLICATE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	low	Docs Contact:
Priority:	low
Version:	8
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	kernel-2.6.23.15-137.fc8	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2008-02-12 15:03:29 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Martin Jürgens 2008-02-11 14:03:10 UTC

Description of problem:
I tried the CVE-2008-0009/10 root exploit several times on my Fedora 8 machine
with kernel kernel 2.6.23.14-115.fc8. When doing it the third time, I got a nice
oops!


Additional info:

Feb 11 15:00:25 medora kernel: BUG: unable to handle kernel paging request at
virtual address 156e0067
Feb 11 15:00:25 medora kernel: printing eip: 080487f5 *pde = 00000000 
Feb 11 15:00:25 medora kernel: Oops: 0000 [#1] SMP 
Feb 11 15:00:25 medora kernel: Modules linked in: vfat fat rfcomm l2cap
bluetooth autofs4 w83627ehf hwmon_vid sunrpc nf_conntrack_ipv4 ipt_REJECT
iptable_filter ip_tables nf_conntrack_ipv6 xt_state nf_conntrack nfnetlink
xt_tcpudp ip6t_ipv6header ip6t_REJECT ip6table_filter ip6_tables x_tables
cpufreq_ondemand dm_mirror dm_multipath dm_mod ipv6 snd_hda_intel snd_seq_dummy
snd_seq_oss snd_seq_midi_event snd_seq parport_pc parport snd_seq_device
snd_pcm_oss snd_mixer_oss nvidia(P)(U) floppy snd_pcm k8temp hwmon pcspkr
dvb_usb_dtt200u snd_timer dvb_usb snd_page_alloc dvb_core snd_hwdep button snd
usb_storage forcedeth i2c_nforce2 soundcore i2c_core sg sr_mod cdrom pata_amd
ata_generic sata_nv libata sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd
ehci_hcd
Feb 11 15:00:25 medora kernel: CPU:    0
Feb 11 15:00:25 medora kernel: EIP:    0060:[<080487f5>]    Tainted: P        VLI
Feb 11 15:00:25 medora kernel: EFLAGS: 00010293   (2.6.23.14-115.fc8 #1)
Feb 11 15:00:25 medora kernel: EIP is at 0x80487f5
Feb 11 15:00:25 medora kernel: eax: 156e0067   ebx: 00000004   ecx: 00000286  
edx: 00000000
Feb 11 15:00:25 medora kernel: esi: d16bbf84   edi: ffffffe0   ebp: d16bbe08  
esp: d16bbdf4
Feb 11 15:00:25 medora kernel: ds: 007b   es: 007b   fs: 00d8  gs: 0033  ss: 0068
Feb 11 15:00:25 medora kernel: Process explot.bin (pid: 3162, ti=d16bb000
task=ecf8e610 task.ti=d16bb000)
Feb 11 15:00:25 medora kernel: Stack: 00000286 00000000 156e0067 156e0067
00000004 00000001 c0468456 c049a938 
Feb 11 15:00:25 medora kernel:        00000011 00000000 00000030 00000000
fffcffff 00000030 00000030 bfee9de8 
Feb 11 15:00:25 medora kernel:        c049b107 ffffffd0 00000000 00000000
d16bbf2c 00000000 d16bbfec dfb40f00 
Feb 11 15:00:25 medora kernel: Call Trace:
Feb 11 15:00:25 medora kernel:  [<c0468456>] put_compound_page+0x23/0x24
Feb 11 15:00:25 medora kernel:  [<c049a938>] splice_to_pipe+0x1d7/0x1e7
Feb 11 15:00:25 medora kernel:  [<c049b107>] sys_vmsplice+0x2d7/0x430
Feb 11 15:00:25 medora kernel:  [<c046d6c2>] unmap_vmas+0x3d9/0x59a
Feb 11 15:00:25 medora kernel:  [<c04264a6>] __wake_up+0x32/0x43
Feb 11 15:00:25 medora kernel:  =======================
Feb 11 15:00:25 medora kernel: Code:  Bad EIP value.
Feb 11 15:00:25 medora kernel: EIP: [<080487f5>] 0x80487f5 SS:ESP 0068:d16bbdf4

Comment 1 Jan Lieskovsky 2008-02-12 14:42:24 UTC

This oops successfully reproduced when running the exploit for CVE-2008-0010
on 2.6.23.14-115.fc8.

Steps to reproduce:

1, adduser testuser
2, passwd testuser
3, su testuser
4, get exploit from http://www.milw0rm.com/exploits/5093
5, cc exploit.c -o exploit
6, [testuser@nec-em7 tmp]$ ./exploit

The result:

# BUG: unable to handle kernel paging request at virtual address 007a5319
printing eip: 08048919 *pde = 00000000
Oops: 0000 [#1] SMP
Modules linked in: rfcomm l2cap bluetooth autofs4 sunpc ipv6 loop dm_multipath
pcspkr iTCO_wdt iTCO_vendor_support i2c_i801 i2c_core i5000_edac edac_core
button e1000 sg dm_snapshot dm_zero dm_mirror dm_mod mptsas mptscsih mptbase
scsi_transport_sas sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohcihcd ehci_hcd
CPU:    3
EIP:    0060:[<08048919>]    Not tainted VLI
EFLAGS: 00210293   (2.6.23.14-115.fc8 #1)
EIP is at 0x8048919
eax: 007a5319   ebx: 00007a69   ecx: 080488f1   edx: 000000d8
esi: 00000002   edi: 00000003   ebp: f65b9fac   esp: f65b9f98
ds: 007b s: 007b   fs: 00d8  gs: 0033  ss: 0068
Process exploit (pid: 2482, ti=f65b9000 task=f7716c20 task.ti=f65b9000)
Stack: c0481dfc 00000000 007a5319 007a5319 00007a69 f65b9000 c04203d9 c040518a
       00007a69 080488f1 00000001 00000002 0000003 00000004 00000071 0000007b
       0000007b c0610000 00000071 0012d402 00000073 00200207 bff5b138 0000007b
Call Trace:
 [<c0481dfc>] sys_write+0x41/0x67
 [<c04203d9>] sys_vm86old+0x12/0x75
 [<c040518a>] syscall_call+0x7/0xb
 [<c060000>] xfrm_alloc_spi+0xe/0x158
 =======================
Code:  Bad EIP value.
EIP: [<08048919>] 0x8048919 SS:ESP 0068:f65b9f98

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: Oops: 0000 [#1] SMP

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: CPU:    3

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: EIP:    0060:[<08048919>]    Not tainted VLI

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: EFLAGS: 00210293   (2.6.23.14-115.fc8 #1)

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: EIP is at 0x8048919

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: eax: 007a5319   ebx: 00007a69   ecx: 080488f1   edx: 000000d8

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: esi: 00000002   edi: 00000003   ebp: f65b9fac   esp: f65b9f98

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: ds: 007b   es: 007b   fs: 00d8  gs: 0033  ss: 0068

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: Process exploit (pid: 2482, ti=f65b9000 task=f7716c20 task.ti=f65b9000)

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: Stack: c0481dfc 00000000 007a5319 007a5319 00007a69 f65b9000 c04203d9
c040518a

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel:        00007a69 080488f1 00000001 00000002 00000003 00000004 00000071
0000007b

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel:        0000007b c0610000 00000071 0012d402 00000073 00200207 bff5b138
0000007b

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: Call Trace:

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel:  [<c0481dfc>] sys_write+0x41/0x67

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel:  [<c04203d9>] sys_vm86old+0x12/0x75

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel:  [<c040518a>] syscall_call+0x7/0xb

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel:  [<c0610000>] xfrm_alloc_spi+0xe/0x158

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel:  =======================

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: Code:  Bad EIP value.

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: EIP: [<08048919>] 0x8048919 SS:ESP 0068:f65b9f98

By this kernel oopses "only" the "exploit" process --
after pressing "Enter" the command line "returns".

The oops succcesfully reproduced ALSO for the 2.6.23.1-42.fc8 version of the
kernel. Here after the repeating the above steps one experiences the 
"complete kernel oops" -- you need to reboot the system :o(. 

Have also tried also the latest (kernel-2.6.23.15-137.fc8) --
NO OOPS appears (seems to be fixed && working).

Comment 2 Jan Lieskovsky 2008-02-12 14:58:22 UTC

The kernel versions < than kernel-2.6.23.15-137.fc8 were vulnerable to
the CVE-2008-0010, but kernel-2.6.23.15-137.fc8 fixes it ->
No issue anymore there.

Comment 3 Martin Jürgens 2008-02-12 15:03:29 UTC

Closing then :)

Comment 4 Jan Lieskovsky 2008-02-12 15:06:46 UTC

*** This bug has been marked as a duplicate of 432308 ***

*** This bug has been marked as a duplicate of 432308 ***