Bug 432344 - OOPs because of trying CVE-2008-0009/10 exploit
OOPs because of trying CVE-2008-0009/10 exploit
Status: CLOSED DUPLICATE of bug 432308
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Kernel Maintainer List
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-11 09:03 EST by Martin Jürgens
Modified: 2008-02-12 10:06 EST (History)
0 users

See Also:
Fixed In Version: kernel-2.6.23.15-137.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-12 10:03:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Jürgens 2008-02-11 09:03:10 EST
Description of problem:
I tried the CVE-2008-0009/10 root exploit several times on my Fedora 8 machine
with kernel kernel 2.6.23.14-115.fc8. When doing it the third time, I got a nice
oops!


Additional info:

Feb 11 15:00:25 medora kernel: BUG: unable to handle kernel paging request at
virtual address 156e0067
Feb 11 15:00:25 medora kernel: printing eip: 080487f5 *pde = 00000000 
Feb 11 15:00:25 medora kernel: Oops: 0000 [#1] SMP 
Feb 11 15:00:25 medora kernel: Modules linked in: vfat fat rfcomm l2cap
bluetooth autofs4 w83627ehf hwmon_vid sunrpc nf_conntrack_ipv4 ipt_REJECT
iptable_filter ip_tables nf_conntrack_ipv6 xt_state nf_conntrack nfnetlink
xt_tcpudp ip6t_ipv6header ip6t_REJECT ip6table_filter ip6_tables x_tables
cpufreq_ondemand dm_mirror dm_multipath dm_mod ipv6 snd_hda_intel snd_seq_dummy
snd_seq_oss snd_seq_midi_event snd_seq parport_pc parport snd_seq_device
snd_pcm_oss snd_mixer_oss nvidia(P)(U) floppy snd_pcm k8temp hwmon pcspkr
dvb_usb_dtt200u snd_timer dvb_usb snd_page_alloc dvb_core snd_hwdep button snd
usb_storage forcedeth i2c_nforce2 soundcore i2c_core sg sr_mod cdrom pata_amd
ata_generic sata_nv libata sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd
ehci_hcd
Feb 11 15:00:25 medora kernel: CPU:    0
Feb 11 15:00:25 medora kernel: EIP:    0060:[<080487f5>]    Tainted: P        VLI
Feb 11 15:00:25 medora kernel: EFLAGS: 00010293   (2.6.23.14-115.fc8 #1)
Feb 11 15:00:25 medora kernel: EIP is at 0x80487f5
Feb 11 15:00:25 medora kernel: eax: 156e0067   ebx: 00000004   ecx: 00000286  
edx: 00000000
Feb 11 15:00:25 medora kernel: esi: d16bbf84   edi: ffffffe0   ebp: d16bbe08  
esp: d16bbdf4
Feb 11 15:00:25 medora kernel: ds: 007b   es: 007b   fs: 00d8  gs: 0033  ss: 0068
Feb 11 15:00:25 medora kernel: Process explot.bin (pid: 3162, ti=d16bb000
task=ecf8e610 task.ti=d16bb000)
Feb 11 15:00:25 medora kernel: Stack: 00000286 00000000 156e0067 156e0067
00000004 00000001 c0468456 c049a938 
Feb 11 15:00:25 medora kernel:        00000011 00000000 00000030 00000000
fffcffff 00000030 00000030 bfee9de8 
Feb 11 15:00:25 medora kernel:        c049b107 ffffffd0 00000000 00000000
d16bbf2c 00000000 d16bbfec dfb40f00 
Feb 11 15:00:25 medora kernel: Call Trace:
Feb 11 15:00:25 medora kernel:  [<c0468456>] put_compound_page+0x23/0x24
Feb 11 15:00:25 medora kernel:  [<c049a938>] splice_to_pipe+0x1d7/0x1e7
Feb 11 15:00:25 medora kernel:  [<c049b107>] sys_vmsplice+0x2d7/0x430
Feb 11 15:00:25 medora kernel:  [<c046d6c2>] unmap_vmas+0x3d9/0x59a
Feb 11 15:00:25 medora kernel:  [<c04264a6>] __wake_up+0x32/0x43
Feb 11 15:00:25 medora kernel:  =======================
Feb 11 15:00:25 medora kernel: Code:  Bad EIP value.
Feb 11 15:00:25 medora kernel: EIP: [<080487f5>] 0x80487f5 SS:ESP 0068:d16bbdf4
Comment 1 Jan Lieskovsky 2008-02-12 09:42:24 EST
This oops successfully reproduced when running the exploit for CVE-2008-0010
on 2.6.23.14-115.fc8.

Steps to reproduce:

1, adduser testuser
2, passwd testuser
3, su testuser
4, get exploit from http://www.milw0rm.com/exploits/5093
5, cc exploit.c -o exploit
6, [testuser@nec-em7 tmp]$ ./exploit

The result:

# BUG: unable to handle kernel paging request at virtual address 007a5319
printing eip: 08048919 *pde = 00000000
Oops: 0000 [#1] SMP
Modules linked in: rfcomm l2cap bluetooth autofs4 sunpc ipv6 loop dm_multipath
pcspkr iTCO_wdt iTCO_vendor_support i2c_i801 i2c_core i5000_edac edac_core
button e1000 sg dm_snapshot dm_zero dm_mirror dm_mod mptsas mptscsih mptbase
scsi_transport_sas sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohcihcd ehci_hcd
CPU:    3
EIP:    0060:[<08048919>]    Not tainted VLI
EFLAGS: 00210293   (2.6.23.14-115.fc8 #1)
EIP is at 0x8048919
eax: 007a5319   ebx: 00007a69   ecx: 080488f1   edx: 000000d8
esi: 00000002   edi: 00000003   ebp: f65b9fac   esp: f65b9f98
ds: 007b s: 007b   fs: 00d8  gs: 0033  ss: 0068
Process exploit (pid: 2482, ti=f65b9000 task=f7716c20 task.ti=f65b9000)
Stack: c0481dfc 00000000 007a5319 007a5319 00007a69 f65b9000 c04203d9 c040518a
       00007a69 080488f1 00000001 00000002 0000003 00000004 00000071 0000007b
       0000007b c0610000 00000071 0012d402 00000073 00200207 bff5b138 0000007b
Call Trace:
 [<c0481dfc>] sys_write+0x41/0x67
 [<c04203d9>] sys_vm86old+0x12/0x75
 [<c040518a>] syscall_call+0x7/0xb
 [<c060000>] xfrm_alloc_spi+0xe/0x158
 =======================
Code:  Bad EIP value.
EIP: [<08048919>] 0x8048919 SS:ESP 0068:f65b9f98

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: Oops: 0000 [#1] SMP

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: CPU:    3

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: EIP:    0060:[<08048919>]    Not tainted VLI

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: EFLAGS: 00210293   (2.6.23.14-115.fc8 #1)

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: EIP is at 0x8048919

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: eax: 007a5319   ebx: 00007a69   ecx: 080488f1   edx: 000000d8

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: esi: 00000002   edi: 00000003   ebp: f65b9fac   esp: f65b9f98

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: ds: 007b   es: 007b   fs: 00d8  gs: 0033  ss: 0068

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: Process exploit (pid: 2482, ti=f65b9000 task=f7716c20 task.ti=f65b9000)

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: Stack: c0481dfc 00000000 007a5319 007a5319 00007a69 f65b9000 c04203d9
c040518a

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel:        00007a69 080488f1 00000001 00000002 00000003 00000004 00000071
0000007b

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel:        0000007b c0610000 00000071 0012d402 00000073 00200207 bff5b138
0000007b

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: Call Trace:

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel:  [<c0481dfc>] sys_write+0x41/0x67

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel:  [<c04203d9>] sys_vm86old+0x12/0x75

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel:  [<c040518a>] syscall_call+0x7/0xb

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel:  [<c0610000>] xfrm_alloc_spi+0xe/0x158

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel:  =======================

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: Code:  Bad EIP value.

Message from syslogd@nec-em7 at Feb 12 09:27:15 ...
 kernel: EIP: [<08048919>] 0x8048919 SS:ESP 0068:f65b9f98

By this kernel oopses "only" the "exploit" process --
after pressing "Enter" the command line "returns".

The oops succcesfully reproduced ALSO for the 2.6.23.1-42.fc8 version of the
kernel. Here after the repeating the above steps one experiences the 
"complete kernel oops" -- you need to reboot the system :o(. 

Have also tried also the latest (kernel-2.6.23.15-137.fc8) --
NO OOPS appears (seems to be fixed && working).
Comment 2 Jan Lieskovsky 2008-02-12 09:58:22 EST
The kernel versions < than kernel-2.6.23.15-137.fc8 were vulnerable to
the CVE-2008-0010, but kernel-2.6.23.15-137.fc8 fixes it ->
No issue anymore there.
Comment 3 Martin Jürgens 2008-02-12 10:03:29 EST
Closing then :)
Comment 4 Jan Lieskovsky 2008-02-12 10:06:46 EST
*** This bug has been marked as a duplicate of 432308 ***

*** This bug has been marked as a duplicate of 432308 ***

Note You need to log in before you can comment on or make changes to this bug.