Description of problem: I tried the CVE-2008-0009/10 root exploit several times on my Fedora 8 machine with kernel kernel 2.6.23.14-115.fc8. When doing it the third time, I got a nice oops! Additional info: Feb 11 15:00:25 medora kernel: BUG: unable to handle kernel paging request at virtual address 156e0067 Feb 11 15:00:25 medora kernel: printing eip: 080487f5 *pde = 00000000 Feb 11 15:00:25 medora kernel: Oops: 0000 [#1] SMP Feb 11 15:00:25 medora kernel: Modules linked in: vfat fat rfcomm l2cap bluetooth autofs4 w83627ehf hwmon_vid sunrpc nf_conntrack_ipv4 ipt_REJECT iptable_filter ip_tables nf_conntrack_ipv6 xt_state nf_conntrack nfnetlink xt_tcpudp ip6t_ipv6header ip6t_REJECT ip6table_filter ip6_tables x_tables cpufreq_ondemand dm_mirror dm_multipath dm_mod ipv6 snd_hda_intel snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq parport_pc parport snd_seq_device snd_pcm_oss snd_mixer_oss nvidia(P)(U) floppy snd_pcm k8temp hwmon pcspkr dvb_usb_dtt200u snd_timer dvb_usb snd_page_alloc dvb_core snd_hwdep button snd usb_storage forcedeth i2c_nforce2 soundcore i2c_core sg sr_mod cdrom pata_amd ata_generic sata_nv libata sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd Feb 11 15:00:25 medora kernel: CPU: 0 Feb 11 15:00:25 medora kernel: EIP: 0060:[<080487f5>] Tainted: P VLI Feb 11 15:00:25 medora kernel: EFLAGS: 00010293 (2.6.23.14-115.fc8 #1) Feb 11 15:00:25 medora kernel: EIP is at 0x80487f5 Feb 11 15:00:25 medora kernel: eax: 156e0067 ebx: 00000004 ecx: 00000286 edx: 00000000 Feb 11 15:00:25 medora kernel: esi: d16bbf84 edi: ffffffe0 ebp: d16bbe08 esp: d16bbdf4 Feb 11 15:00:25 medora kernel: ds: 007b es: 007b fs: 00d8 gs: 0033 ss: 0068 Feb 11 15:00:25 medora kernel: Process explot.bin (pid: 3162, ti=d16bb000 task=ecf8e610 task.ti=d16bb000) Feb 11 15:00:25 medora kernel: Stack: 00000286 00000000 156e0067 156e0067 00000004 00000001 c0468456 c049a938 Feb 11 15:00:25 medora kernel: 00000011 00000000 00000030 00000000 fffcffff 00000030 00000030 bfee9de8 Feb 11 15:00:25 medora kernel: c049b107 ffffffd0 00000000 00000000 d16bbf2c 00000000 d16bbfec dfb40f00 Feb 11 15:00:25 medora kernel: Call Trace: Feb 11 15:00:25 medora kernel: [<c0468456>] put_compound_page+0x23/0x24 Feb 11 15:00:25 medora kernel: [<c049a938>] splice_to_pipe+0x1d7/0x1e7 Feb 11 15:00:25 medora kernel: [<c049b107>] sys_vmsplice+0x2d7/0x430 Feb 11 15:00:25 medora kernel: [<c046d6c2>] unmap_vmas+0x3d9/0x59a Feb 11 15:00:25 medora kernel: [<c04264a6>] __wake_up+0x32/0x43 Feb 11 15:00:25 medora kernel: ======================= Feb 11 15:00:25 medora kernel: Code: Bad EIP value. Feb 11 15:00:25 medora kernel: EIP: [<080487f5>] 0x80487f5 SS:ESP 0068:d16bbdf4
This oops successfully reproduced when running the exploit for CVE-2008-0010 on 2.6.23.14-115.fc8. Steps to reproduce: 1, adduser testuser 2, passwd testuser 3, su testuser 4, get exploit from http://www.milw0rm.com/exploits/5093 5, cc exploit.c -o exploit 6, [testuser@nec-em7 tmp]$ ./exploit The result: # BUG: unable to handle kernel paging request at virtual address 007a5319 printing eip: 08048919 *pde = 00000000 Oops: 0000 [#1] SMP Modules linked in: rfcomm l2cap bluetooth autofs4 sunpc ipv6 loop dm_multipath pcspkr iTCO_wdt iTCO_vendor_support i2c_i801 i2c_core i5000_edac edac_core button e1000 sg dm_snapshot dm_zero dm_mirror dm_mod mptsas mptscsih mptbase scsi_transport_sas sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohcihcd ehci_hcd CPU: 3 EIP: 0060:[<08048919>] Not tainted VLI EFLAGS: 00210293 (2.6.23.14-115.fc8 #1) EIP is at 0x8048919 eax: 007a5319 ebx: 00007a69 ecx: 080488f1 edx: 000000d8 esi: 00000002 edi: 00000003 ebp: f65b9fac esp: f65b9f98 ds: 007b s: 007b fs: 00d8 gs: 0033 ss: 0068 Process exploit (pid: 2482, ti=f65b9000 task=f7716c20 task.ti=f65b9000) Stack: c0481dfc 00000000 007a5319 007a5319 00007a69 f65b9000 c04203d9 c040518a 00007a69 080488f1 00000001 00000002 0000003 00000004 00000071 0000007b 0000007b c0610000 00000071 0012d402 00000073 00200207 bff5b138 0000007b Call Trace: [<c0481dfc>] sys_write+0x41/0x67 [<c04203d9>] sys_vm86old+0x12/0x75 [<c040518a>] syscall_call+0x7/0xb [<c060000>] xfrm_alloc_spi+0xe/0x158 ======================= Code: Bad EIP value. EIP: [<08048919>] 0x8048919 SS:ESP 0068:f65b9f98 Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: Oops: 0000 [#1] SMP Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: CPU: 3 Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: EIP: 0060:[<08048919>] Not tainted VLI Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: EFLAGS: 00210293 (2.6.23.14-115.fc8 #1) Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: EIP is at 0x8048919 Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: eax: 007a5319 ebx: 00007a69 ecx: 080488f1 edx: 000000d8 Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: esi: 00000002 edi: 00000003 ebp: f65b9fac esp: f65b9f98 Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: ds: 007b es: 007b fs: 00d8 gs: 0033 ss: 0068 Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: Process exploit (pid: 2482, ti=f65b9000 task=f7716c20 task.ti=f65b9000) Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: Stack: c0481dfc 00000000 007a5319 007a5319 00007a69 f65b9000 c04203d9 c040518a Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: 00007a69 080488f1 00000001 00000002 00000003 00000004 00000071 0000007b Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: 0000007b c0610000 00000071 0012d402 00000073 00200207 bff5b138 0000007b Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: Call Trace: Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: [<c0481dfc>] sys_write+0x41/0x67 Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: [<c04203d9>] sys_vm86old+0x12/0x75 Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: [<c040518a>] syscall_call+0x7/0xb Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: [<c0610000>] xfrm_alloc_spi+0xe/0x158 Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: ======================= Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: Code: Bad EIP value. Message from syslogd@nec-em7 at Feb 12 09:27:15 ... kernel: EIP: [<08048919>] 0x8048919 SS:ESP 0068:f65b9f98 By this kernel oopses "only" the "exploit" process -- after pressing "Enter" the command line "returns". The oops succcesfully reproduced ALSO for the 2.6.23.1-42.fc8 version of the kernel. Here after the repeating the above steps one experiences the "complete kernel oops" -- you need to reboot the system :o(. Have also tried also the latest (kernel-2.6.23.15-137.fc8) -- NO OOPS appears (seems to be fixed && working).
The kernel versions < than kernel-2.6.23.15-137.fc8 were vulnerable to the CVE-2008-0010, but kernel-2.6.23.15-137.fc8 fixes it -> No issue anymore there.
Closing then :)
*** This bug has been marked as a duplicate of 432308 *** *** This bug has been marked as a duplicate of 432308 ***