# Linux Kernel 2.6 Local Root Exploit

## BitJam

Slashdot story.

The exploit works on my amd64 system with a 2.6.23-gentoo-r3 kernel.

----------

## knifeyspoony

Today's slashdot brings news of an exploit in the wild for kernels 2.6.17 to 2.6.24.1.  The workaround is to compile a kernel without vmsplice support.

I can't find a option in my 2.6.22 .config explicitly for vmsplice.  Anyone know where to find it?

----------

## Voltago

Discussion:

http://lkml.org/lkml/2008/2/10/8

Possible fix (platojones three posts further down says it works, thanks platojones):

http://lkml.org/lkml/2008/2/10/153Last edited by Voltago on Sun Feb 10, 2008 10:14 pm; edited 1 time in total

----------

## nixnut

First you can check if you are indeed vulnerable. Then you can either apply the patch posted here or simply make sure you have no untrusted local users (disable ssh access for example) and wait until patched kernel sources make it into portage. Since this is a pretty nasty issue you can expect that within days I'd say.

Edit: in fact, it's already commited: http://packages.gentoo.org/package/sys-kernel/gentoo-sources/

 *Quote:*   

> *gentoo-sources-2.6.24-r1 (10 Feb 2008)
> 
> 10 Feb 2008; Daniel Drake (dsd)
> 
> +gentoo-sources-2.6.24-r1.ebuild:
> ...

 

Also fixed is 2.6.23 with gentoo-sources-2.6.23-r7.ebuild

----------

## Timberwolves

https://bugs.gentoo.org/show_bug.cgi?id=209460

----------

## platojones

Wow, glad you where snooping around /. today.  My kernel was wide open to this thing.  5 min later, made the 1 line source file change, recompiled the kernel and voila....that one is gone.

----------

## platojones

BTW, I just tested that fix and it works.

----------

## ksool

Any word on what config option includes vmsplice?

----------

## dsd

there is no way to disable vmsplice in your .config

you can disable it quite easily by modifying the kernel source, open fs/splice.c, search for sys_vmsplice() and then make the following modification to the function:

 *Quote:*   

> 
> 
> asmlinkage long sys_vmsplice(int fd, const struct iovec __user *iov,
> 
> 			     unsigned long nr_segs, unsigned int flags)
> ...

 

(untested)

the situation is quite confusing as there have actually been three security bugs classified with the vmsplice() implementation, which are solved by 2 patches (so let's just call them 2 issues)

the first security issue was introduced as of 2.6.23 (so was not exploitable on 2.6.22 or older), and has been fixed as of gentoo-sources-2.6.23-r7 / linux 2.6.23.15 / gentoo-sources-2.6.24-r1 / linux 2.6.24.1

the second security issue has existed since 2.6.17. this is not fixed by the above kernel releases. it will be fixed in gentoo-sources-2.6.23-r8 and 2.6.24-r2 which are flowing through the release pipeline as we speak. heres the patch (for both 2.6.23 and 2.6.24) in the meantime: http://dev.gentoo.org/~dsd/genpatches/trunk/2.6.24/1400_vmsplice-user-pointer.patch

(update: those kernels with that patch are now in portage)

there is no official upstream released kernel that fixes this bug yet. 2.6.24.1 is still vulnerable to the second security issue.

both issues allow the user to modify kernel memory, which means its possible to crash the machine or become root.

when it appears in portage, general success reports of gentoo-sources-2.6.23-r8 would be highly appreciated as we will mark it stable a few hours after release, and there have been some other changes since the last stable version too (want to be sure we haven't added any obvious widespread issues)

----------

## dsd

gentoo-sources-2.6.23-r8 and gentoo-sources-2.6.24-r2 are now in portage which solve both of the security issues. i'm particularly interested in success reports for the 2.6.23 release which will be marked stable when i get up in 8 hours time

it'll probably take about 30 minutes before these ebuilds appear in your "emerge --sync"

----------

## rlittle

I've unmasked gentoo-sources-2.6.24-r1, synced, downloaded, recompiled and installed the new kernel, and I still have the vulnerability.

I suppose I'm looking for 2.6.24.1?

----------

## BitJam

You have to wait for the -r2 version to migrate to the mirrors.

----------

## asdx

2.6.25-rc1 just come out now, this release fixes the vulnerability.

----------

## CyberFoxx

Well, I just hope this gets patched in the tuxonice-sources soon as well.

----------

## NightMonkey

 *Quote:*   

> the second security issue has existed since 2.6.17. this is not fixed by the above kernel releases. it will be fixed in gentoo-sources-2.6.23-r8 and 2.6.24-r2 which are flowing through the release pipeline as we speak. heres the patch (for both 2.6.23 and 2.6.24) in the meantime: http://dev.gentoo.org/~dsd/genpatches/trunk/2.6.24/1400_vmsplice-user-pointer.patch
> 
> (update: those kernels with that patch are now in portage)
> 
> there is no official upstream released kernel that fixes this bug yet. 2.6.24.1 is still vulnerable to the second security issue. 

 

Will 2.6.22 (or earlier) kernels get the patch as well? I've got a few servers still running .22. Thanks.

----------

## desultory

Bear in mind that patching the kernel is not the only way to handle with this problem.

----------

## dsd

can't speak for other kernels, but there will be no further gentoo-sources-2.6.22 releases so you will have to upgrade or patch it yourself

----------

## bunder

if you want to patch it by hand you can do this:

take your ebuild and copy it to your local overlay

add this line: (best place is right above pkg_setup)

 *Quote:*   

> UNIPATCH_LIST="${FILESDIR}/novmsplice.patch"
> 
> 

 

and download the patch file and put it in /usr/local/portage/sys-kernel/gentoo-sources/files (giving it the name of the .patch file you listed above).  oh, and of course, digest, re-emerge and compile.

worked for me on 2.6.18-r6.

cheers

----------

## blu3bird

 *gcc jessica_biel_naked_in_my_bed.c -static -Wno-format wrote:*   

> jessica_biel_naked_in_my_bed.c:138:2: error: #error "unsupported arch"

 

Sometime it's a good think to be on a rarely used arch  :Smile: 

But i better patch my kernel before someone is able to write the nesesarry asm code :>

----------

## tapted

 *dsd wrote:*   

> 
> 
> when it appears in portage, general success reports of gentoo-sources-2.6.23-r8 would be highly appreciated as we will mark it stable a few hours after release, and there have been some other changes since the last stable version too (want to be sure we haven't added any obvious widespread issues)

 

I've updated 5 gentoo machines this way, all were previously vulnerable, all are now not. All are running fine.

I think it's the first time ever my PCs have all had synchronised kernels:

```

uname -a ; cat /proc/version 

Linux daisy 2.6.23-gentoo-r8 #1 SMP Mon Feb 11 12:14:40 EST 2008 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ AuthenticAMD GNU/Linux

Linux version 2.6.23-gentoo-r8 (root@daisy) (gcc version 4.1.2 (Gentoo 4.1.2 p1.0.2)) #1 SMP Mon Feb 11 12:14:40 EST 2008

Linux xx-xxx-0 2.6.23-gentoo-r8 #1 SMP PREEMPT Mon Feb 11 12:31:06 EST 2008 i686 Intel(R) Pentium(R) D CPU 3.00GHz GenuineIntel GNU/Linux

Linux version 2.6.23-gentoo-r8 (root@pc-xxx-x) (gcc version 4.1.2 20070214 ( (gdc 0.24, using dmd 1.020)) (Gentoo 4.1.2 p1.0.2)) #1 SMP PREEMPT Mon Feb 11 12:31:06 EST 2008

Linux xx-xxx-7 2.6.23-gentoo-r8 #1 SMP PREEMPT Mon Feb 11 12:32:32 EST 2008 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz GenuineIntel GNU/Linux

Linux version 2.6.23-gentoo-r8 (root@pc-xxx-x) (gcc version 4.1.2 20070214 ( (gdc 0.23, using dmd 1.007)) (Gentoo 4.1.2 p1.0.1)) #1 SMP PREEMPT Mon Feb 11 12:32:32 EST 2008

Linux xx-xxx-9 2.6.23-gentoo-r8 #1 PREEMPT Mon Feb 11 12:32:09 EST 2008 i686 Intel(R) Pentium(R) 4 CPU 2.53GHz GenuineIntel GNU/Linux

Linux version 2.6.23-gentoo-r8 (root@xx-xxx-x) (gcc version 4.1.2 20070214 ( (gdc 0.23, using dmd 1.007)) (Gentoo 4.1.2)) #1 PREEMPT Mon Feb 11 12:32:09 EST 2008

Linux xx-xxx-1 2.6.23-gentoo-r8 #1 SMP PREEMPT Mon Feb 11 12:32:32 EST 2008 i686 Intel(R) Pentium(R) D CPU 3.00GHz GenuineIntel GNU/Linux

Linux version 2.6.23-gentoo-r8 (root@xx-xxx-x) (gcc version 4.1.2 20070214 ( (gdc 0.24, using dmd 1.020)) (Gentoo 4.1.2 p1.0.2)) #1 SMP PREEMPT Mon Feb 11 12:32:32 EST 2008

```

All done with 

```
emerge --sync

echo '=sys-kernel/gentoo-sources-2.6.23-r8' >> /etc/portage/package.keywords

emerge gentoo-sources

(fix symlink, copy .config)

make oldconfig

make && make modules_install && mount /boot && make install && emerge ati-drivers && reboot

```

note: times are Australian EST (GMT +11). i.e. ~8 hours before this post -- go Gentoo, getting this patched so quickly!

----------

## dsd

thanks, i marked it stable about 30 mins ago

----------

## Target

Securityfocus report: http://www.securityfocus.com/bid/27704/info

The exploit exits with "Killed" on the hardened environments I've tested it under, save for an Athlon64 box, which kernel panics instead for some reason.

----------

## baeksu

 *desultory wrote:*   

> Bear in mind that patching the kernel is not the only way to handle with this problem.

 

I built the module with the makefile and insmod'd it. After that the exploit segfaults (while dumping a very scary message from kernel), so I guess it disables the exploit for now.

Thanks for that, I've patched my server, but won't be able to reboot at least for a few days, so that fix should tide me over until my next 'unscheduled downtime'.

----------

## depontius

Any news about a fix for this to hardened-sources?

I control pretty tightly who is able to ssh onto my hardened-sources machines, but I'd still like the fix for this on them.

----------

## albright

I find that the exploit will not compile on any of my gentoo machines.

I get these messages:

```
exploit2.c:30:22: error: asm/page.h: No such file or directory

exploit2.c: In function 'main':

exploit2.c:211: error: 'PAGE_SIZE' undeclared (first use in this function)

exploit2.c:211: error: (Each undeclared identifier is reported only once

exploit2.c:211: error: for each function it appears in.)

```

(by some creative linkage I can get rid of the page.h error, but not the other ...)

I'm just curious what's going on here ...

----------

## Voltago

 *albright wrote:*   

> I'm just curious what's going on here ...

 

You need

```
gcc -I /usr/src/linux/include <...>
```

----------

## sundialsvc4

I'm just wondering now when the madwifi-ng stuff is going to be caught up-to-date with regard to the kernel source.  I understand that some conditional-symbols have been redefined since ".24?"

----------

## albright

 *Quote:*   

> You need 
> 
> Code:
> 
>   gcc -I /usr/src/linux/include <...>

 

thanks for that. 

Interestingly, my notebook with tuxonice source: 

2.6.24-tuxonice does not succumb, but instead

returns:

```
[-] vmsplice: Function not implemented
```

Same for my old notebook (which serves as router, gateway

etc. so it might matter here) which is running 2.6.17-gentoo-r4

good to know ...

----------

## richard77

Would be nice to have a big warning on www.gentoo.org and make this thread sticky for a while (IMHO).

I've discovered this on planet.gentoo.org but I think there a lot of people that don't read it often.

Vulnerable kernel will be masked?

----------

## NightMonkey

 *dsd wrote:*   

> can't speak for other kernels, but there will be no further gentoo-sources-2.6.22 releases so you will have to upgrade or patch it yourself

 

dsd,

Love your kernels.  :Smile:  According to this LWN Article, 2.6.22.18 was released to fix (one of?) these security issues.

Cheers!

----------

## ruivilela

Linux 2.6.23-gentoo-r3 #17 SMP PREEMPT ... - Vulnerable, but it's my laptop...

Linux 2.6.20-gentoo-r7 #1 SMP ... - Not Vulnerable, maybe?, the program gives segmentation fault... (this is server, but is full of pacific users  :Smile: )

Linux 2.6.20-1.2962.fc6 #1 SMP ... - Not Vulnerable, the same error ... What option in kernel makes it vulnerable ?

----------

## _markd

I hope these fixes will be in xen-sources soon! I have some vm servers running with xen-sources-2.6.20

md

----------

## jakommo

 *desultory wrote:*   

> Bear in mind that patching the kernel is not the only way to handle with this problem.

 

is this one available for amd64 too?

----------

## ruivilela

Linux 2.6.23-ARCH #1 SMP PREEMPT - Vulnerable. I know it's an ARCH, but is my colleague server  :Smile: .

I suppose this is related with some down servers on the Internet (wiki gentoo ?) and (www.kernel.com) not org.

----------

## nixnut

FYI: hardened-sources have been fixed too.

----------

## SDNick484

I manually applied the patch from git to my tuxonice kernel (tuxonice-2.6.24) and recompiled without a problem.  The patch resolved the issue; previously I was running tuxonice-2.6.23-r1 which was affected.  I also found my Fedora Core 7 box vulnerable.

EDIT: the git patch only fixes the original exploit, I tried exploit 5093 from milw0rm and found it worked even after patching the kernel (5092 is fixed though).  The second exploit seems to only affect .23 & .24 kernels.  According to the Red Hat tracker, the bug is fixed here; I'll recompile my kernel tomorrow if I get a chance and see if that fixes it for sure.  I also noticed the program mentioned in the debian tracker that fixes the original bug (at least until you reboot), doesn't work on 5093 either.Last edited by SDNick484 on Tue Feb 12, 2008 8:05 am; edited 1 time in total

----------

## slithy

 *ruivilela wrote:*   

> Linux 2.6.23-gentoo-r3 #17 SMP PREEMPT ... - Vulnerable, but it's my laptop...
> 
> Linux 2.6.20-gentoo-r7 #1 SMP ... - Not Vulnerable, maybe?, the program gives segmentation fault... (this is server, but is full of pacific users )
> 
> Linux 2.6.20-1.2962.fc6 #1 SMP ... - Not Vulnerable, the same error ... What option in kernel makes it vulnerable ?

 

I'm running gentoo-sources-2.6.20-r4 on some of my machines and the exploit segfaults as well.

----------

## erojasv

i tried the exploit but it didn't work, it looks that my machines are not vulnerables  :Very Happy: 

==================== It's in a virtual machine (vmware-player), 2.6.23-gentoo-r6

erojasv@gentoo1 ~ $ ./exploit2

-----------------------------------

 Linux vmsplice Local Root Exploit

 By qaaz

-----------------------------------

[-] /proc/kallsyms: No such file or directory

======================It's in my server 2.6.18-028stab027(openvz-sources)

deepyox@localhost ~ $ ./exploit2

-----------------------------------

 Linux vmsplice Local Root Exploit

 By qaaz

-----------------------------------

[+] addr: 0xc0113880

[-] wtf

deepyox@localhost ~ $ ./exploit2

-----------------------------------

 Linux vmsplice Local Root Exploit

 By qaaz

-----------------------------------

[+] addr: 0xc0113880

[-] wtf

----------

## downer

 *erojasv wrote:*   

> i tried the exploit but it didn't work, it looks that my machines are not vulnerables 
> 
> ==================== It's in a virtual machine (vmware-player), 2.6.23-gentoo-r6
> 
> erojasv@gentoo1 ~ $ ./exploit2
> ...

 

I wouldnt bet on it, i get the "wtf" 2 out of 3 times on my debian server, but once in a while it goes through and gives me root... don't ask me why.

I got a RHEL test machine that gives me "[-] vmsplice: Function not implemented", which is what I assume is what you want to be sure you are not affected.

//D

----------

## vladms

I have seen the same behavior. Segfaults a couple of times but at some point it goes through. (not on gentoo system, but still...)

So, for all the people for which it segfaulted the first time: you might still be at risk!

----------

## _markd

I tried the exploit in a xen domU running xen-sources-2.6.20-r4 with the following result:

```
 $ ./exploit

-----------------------------------

 Linux vmsplice Local Root Exploit

 By qaaz

-----------------------------------

[+] mmap: 0x0 .. 0x1000

[+] page: 0x0

[+] page: 0x20

[+] mmap: 0x4000 .. 0x5000

[+] page: 0x4000

[+] page: 0x4020

[+] mmap: 0x1000 .. 0x2000

[+] page: 0x1000

[+] mmap: 0xf7f4d000 .. 0xf7f7f000

[-] wtf

```

In dom0 running 2.6.20-r4 I got this:

```

$ ./exploit

-----------------------------------

 Linux vmsplice Local Root Exploit

 By qaaz

-----------------------------------

[+] mmap: 0x100000000000 .. 0x100000001000

[+] page: 0x100000000000

[+] page: 0x100000000038

[+] mmap: 0x4000 .. 0x5000

[+] page: 0x4000

[+] page: 0x4038

[+] mmap: 0x1000 .. 0x2000

[+] page: 0x1000

[+] mmap: 0x2af7e41c9000 .. 0x2af7e41fb000

Killed

```

And a kernel message in dom0:

```

Unable to handle kernel paging request at ffff8802601a0000 RIP:

 [<ffffffff802b5e2c>] get_user_pages+0x5dc/0x650

PGD 3193067 PUD 439d067 PMD 449e067 PTE 0

Oops: 0002 [1] SMP

CPU 1

Modules linked in:

Pid: 26193, comm: exploit Not tainted 2.6.20-xen-r4 #1

RIP: e030:[<ffffffff802b5e2c>]  [<ffffffff802b5e2c>] get_user_pages+0x5dc/0x650

RSP: e02b:ffff88026019fd88  EFLAGS: 00010282

RAX: ffff88000f384b58 RBX: 000000000000000e RCX: 0000000000100073

RDX: ffff88000f384b58 RSI: 00002af7e41f6000 RDI: ffff88000f384b58

RBP: ffff8803e58bf870 R08: 000000000013d47d R09: 800000013d47d167

R10: 0000000000000000 R11: ffffffffff578040 R12: ffff8802601a0000

R13: 0000000000000168 R14: 000000000000002d R15: 00002af7e41f6000

FS:  00002ac510d27dd0(0063) GS:ffffffff8090b080(0000) knlGS:0000000000000000

CS:  e033 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000000000000 CR3: 000000022aeb8000 CR4: 0000000000002620

Process exploit (pid: 26193, threadinfo ffff88026019e000, task ffff8800000ba870)

Stack:  ffff88026019fdf8 ffffffd300000000 ffff8803e8525780 ffff8800000ba870

 000000017fffffff ffffffffffffffff 0000000000000000 0000000000000000

 00007fffc68de750 0000000000000000 0000000000000000 ffffffff802d4dee

Call Trace:

 [<ffffffff802d4dee>] sys_vmsplice+0x1de/0x310

 [<ffffffff80210a8f>] free_pages_and_swap_cache+0x7f/0xa0

Code: 49 89 04 24 48 83 7c 24 68 00 74 04 49 89 6d 00 41 ff c6 ff

RIP  [<ffffffff802b5e2c>] get_user_pages+0x5dc/0x650

 RSP <ffff88026019fd88>

CR2: ffff8802601a0000

 <4>peth0: received packet with  own address as source address

```

In a feisty ubuntu-server domU on the same gentoo dom0 the result was:

```
$ ./exploit

-----------------------------------

 Linux vmsplice Local Root Exploit

 By qaaz

-----------------------------------

[+] mmap: 0x0 .. 0x1000

[+] page: 0x0

[+] page: 0x20

[+] mmap: 0x4000 .. 0x5000

[+] page: 0x4000

[+] page: 0x4020

[+] mmap: 0x1000 .. 0x2000

[+] page: 0x1000

[+] mmap: 0xf7ed2000 .. 0xf7f04000

[-] wtf
```

So xen machines *seem* to be secure ?!

----------

## djs

Just FYI-  From the Changelog on kernel.org, the vanilla sources have the patch in version 2.6.24.2.  I know that may take a while to get into portage though...

/djs

----------

## Sadako

 *djs wrote:*   

> Just FYI-  From the Changelog on kernel.org, the vanilla sources have the patch in version 2.6.24.2.  I know that may take a while to get into portage though...
> 
> /djs

 Recent versions of at least gentoo-sources and hardened-sources have already been patched...

----------

## erojasv

 *downer wrote:*   

>  *erojasv wrote:*   i tried the exploit but it didn't work, it looks that my machines are not vulnerables 
> 
> ==================== It's in a virtual machine (vmware-player), 2.6.23-gentoo-r6
> 
> erojasv@gentoo1 ~ $ ./exploit2
> ...

 

I have tried many times but the exploit don't work xD

----------

## Raposatul

What the exploit does?

----------

## downer

 *Raposatul wrote:*   

> What the exploit does?

 

gives local users ability to get root access.

//D

----------

## SDNick484

I just verified, the latest tuxonice kernel (2.6.24-tuxonice-r2) resolves both errors without the need to manually patch anything:

stewie:~$ uname -a

Linux stewie 2.6.24-tuxonice-r2 #1 Wed Feb 13 21:02:24 PST 2008 i686 Intel(R) Pentium(R) M processor 2.00GHz GenuineIntel GNU/Linux

stewie:~$ ./expl

-----------------------------------

 Linux vmsplice Local Root Exploit

 By qaaz

-----------------------------------

[+] mmap: 0x0 .. 0x1000

[+] page: 0x0

[+] page: 0x20

[+] mmap: 0x4000 .. 0x5000

[+] page: 0x4000

[+] page: 0x4020

[+] mmap: 0x1000 .. 0x2000

[+] page: 0x1000

[+] mmap: 0xb7ef6000 .. 0xb7f28000

[-] vmsplice: Bad address

stewie:~$ ./expl2 

-----------------------------------

 Linux vmsplice Local Root Exploit

 By qaaz

-----------------------------------

[+] addr: 0xc01103d0

[-] wtf

stewie:~$ 

Likewise, the gentoo.org main page confirms the issue is resolved in gentoo-sources-2.6.23-r8 (stable) & gentoo-sources-2.6.24-r2 (~arch).  I believe tuxonice (formerly suspend2-sources) includes the gentoo-sources patches, so this probably should have been expected.

----------

## Workaphobia

 *downer wrote:*   

>  *Raposatul wrote:*   What the exploit does? 
> 
> gives local users ability to get root access.
> 
> //D

 

I'm a little confused as to why this is called a local exploit, when it's apparently doable by anyone with an account, including remote users with shell access. I mean, if that's local, what else is there, when it comes to the kernel? I suppose buffer overflows in things like network drivers would be distinct, but is that the only other kind of flaw?

----------

## downer

 *Workaphobia wrote:*   

> I'm a little confused as to why this is called a local exploit, when it's apparently doable by anyone with an account, including remote users with shell access. I mean, if that's local, what else is there, when it comes to the kernel? I suppose buffer overflows in things like network drivers would be distinct, but is that the only other kind of flaw?

 

first hit on google on "local vs remote expoit": http://lwn.net/Articles/91280/

basically it comes down to semantics; a remote exploit is anyone in the world, a local is by a legitimate user, then there are two step attacks where they use a remote exploit to gain access and then a local one to root the host... 

but yeah, a remote kernel exploit is rare i'd say  :Razz: 

//D

----------

## Nicias

For those of us using a non-gentoo-sources kernel, (for example tuxonice) how do we know to what to upgrade?

----------

## downer

 *Nicias wrote:*   

> For those of us using a non-gentoo-sources kernel, (for example tuxonice) how do we know to what to upgrade?

 

2.6.24-r2 and up should contain the fix.

//D

----------

## Nicias

Do I have to go unstable? Digging around more got me this Bugzilla page that seems to say that 2.6.23-r10 will fix the issue.

----------

## V-Li

 *Nicias wrote:*   

> Do I have to go unstable? Digging around more got me this Bugzilla page that seems to say that 2.6.23-r10 will fix the issue.

 

 *Quote:*   

> 21 Feb 2008; Christian Faulhammer <opfer@gentoo.org>
> 
>   tuxonice-sources-2.6.23-r10.ebuild:
> 
>   stable x86, bug 202064

 

This has been for the security issue...amd64 should follow.  Until then go unstable for that specific package.

----------

