Bug 432517 - Vulnerability to CVE-2008-0600 (vmsplice)
Summary: Vulnerability to CVE-2008-0600 (vmsplice)
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel-xen-2.6
Version: 8
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Eduardo Habkost
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-02-12 15:44 UTC by Jan ONDREJ
Modified: 2008-02-13 17:42 UTC (History)
5 users (show)

Fixed In Version: 2.6.21-2957.fc8
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-02-13 04:48:35 UTC


Attachments (Terms of Use)

Description Jan ONDREJ 2008-02-12 15:44:07 UTC
Description of problem:
kernel-xen is still vulnerable to this vulnerability. Hack tested on my machine.

Version-Release number of selected component (if applicable):
kernel-xen-2.6.21-2952.fc8
may be the .fc7 version too

How reproducible:
always

Steps to Reproduce:
1. use the exploit
  
Actual results:
User root.

Expected results:
non hacked system :)

Additional info:
For more information see these bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=432229
https://bugzilla.redhat.com/show_bug.cgi?id=432283

I have a try to patch latest stable fedora kernel with patch from stable kernel.
You can see my package here:
http://www.salstar.sk/pub/fedora/testing/8/kernel-xen-2.6-2.6.21-2952.fc8.1.src.rpm

If you need patch and spec only, just tell me.

Comment 1 Eduardo Habkost 2008-02-12 17:14:10 UTC
F-8 update building: http://koji.fedoraproject.org/koji/taskinfo?taskID=419352

Comment 2 Eduardo Habkost 2008-02-12 17:18:04 UTC
F-7 update building: http://koji.fedoraproject.org/koji/taskinfo?taskID=419363

Comment 3 Eduardo Habkost 2008-02-12 17:51:07 UTC
(In reply to comment #1)
> F-8 update building: 
http://koji.fedoraproject.org/koji/taskinfo?taskID=419352

Oops, that was the URL for the Rawhide build.

F-8 update is being built here: 
http://koji.fedoraproject.org/koji/taskinfo?taskID=419415

Comment 5 Daniel Berrangé 2008-02-12 18:45:32 UTC
No, the xen kernels follow the style of the regular kernel spec files. The EVR
are not entered manually. They are automatically computed based on the CVS
revision number. We're not going to second guess the CVS revision in changelogs


Comment 6 Jan ONDREJ 2008-02-12 19:41:21 UTC
May be for start it's enough to add version (without epoch and release). It can
be helpful to see, which changes have been made in which release.

Kernel 2.6.21-2957.fc8xen works well for me. Exploit is not usable. Thanks for
quick response.

 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f1d000 .. 0xb7f4f000
[-] vmsplice: Bad address


Comment 7 Fedora Update System 2008-02-12 19:44:36 UTC
kernel-xen-2.6-2.6.21-7.fc7 has been submitted as an update for Fedora 7

Comment 8 Fedora Update System 2008-02-12 19:45:43 UTC
kernel-xen-2.6-2.6.21-2957.fc8 has been submitted as an update for Fedora 8

Comment 9 Fedora Update System 2008-02-13 04:48:33 UTC
kernel-xen-2.6-2.6.21-2957.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2008-02-13 05:16:55 UTC
kernel-xen-2.6-2.6.21-7.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Jan Lieskovsky 2008-02-13 14:54:01 UTC
Attaching 2.6.21-7.fc7xen testing results:

[testuser@hp-xw8600-01 tmp]$ ./2008-0600
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f7f000 .. 0xb7fb1000
[-] vmsplice: Bad address
[testuser@

Exploit no more present in this kernel.

Comment 12 Jan Lieskovsky 2008-02-13 15:30:48 UTC
Attaching 2.6.21-2957.fc8xen testing results:

[testuser@nec-em7 tmp]$ ./2008-0600
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f30000 .. 0xb7f62000
[-] vmsplice: Bad address
[testuser@nec-em7 tmp]$

Issue no more present in this kernel -> this one can be closed.

Comment 13 Jan ONDREJ 2008-02-13 17:42:55 UTC
This bug is already closed. Please do not put more result until you find another
hack. Thank you.


Note You need to log in before you can comment on or make changes to this bug.