Critical Linux kernel vmsplice security issues

There have been 2 significant security flaws found in the Linux kernel, accompanied by plenty of misinformation and confusion. This is my attempt to clear things up a bit.

The short story: If you are running Linux 2.6.17 or newer then any user who has local console or SSH terminal access to your machine can easily become root or crash the system. If this is a problem for you, then you need to upgrade to gentoo-sources-2.6.23-r8 or gentoo-sources-2.6.24-r2. At the time of writing, there are no official released upstream kernels which solve the issues – Linux 2.6.24.1 and 2.6.23.15 are vulnerable.

The longer story:

There are actually two separate security issues in question here. However, they both have the same impact (any user can adjust kernel memory and hence become root), and both issues exist within the implementation of the vmsplice() system call. vmsplice() was added in Linux 2.6.17 and is built into every kernel build – there is no configuration option to exclude vmsplice. Two separate exploits have been publicly released which exploit each of the two issues respectively.

The first security issue under discussion was added in Linux 2.6.23 (obviously unintentionally!). This means that 2.6.22 and older are not vulnerable to the first exploit. This issue was fixed by this patch in Linux 2.6.23.15 and Linux 2.6.24.1. This vulnerability has been classified with two codes: CVE-2008-0009 and CVE-2008-0010.

The second security issue is more serious. Firstly, it has existed for the entire lifetime of vmsplice() which means that any kernel version 2.6.17 or newer is vulnerable. Secondly, it is not fixed in any upstream kernel release at time of writing, but the fix has been merged into Linus’ upstream development tree. This vulnerability has been assigned ID CVE-2008-0600.

gentoo-sources-2.6.23-r7 and gentoo-sources-2.6.24-r1 include the fix for the first issue, but are still vulnerable to the second (which is equally serious).

gentoo-sources-2.6.23-r8 and gentoo-sources-2.6.24-r2 include the fix for the second issue and are hence secured against all known vmsplice exploits at this point in time. 2.6.23-r8 will be marked stable when I wake up 7-8 hours from now, so testing of that release would be appreciated.

UPDATE: gentoo-sources-2.6.23-r8 is now stable, and upstream have also released the following which fix all currently known issues: Linux 2.6.23.16, 2.6.24.2 and 2.6.25-rc1.

17 Responses to “Critical Linux kernel vmsplice security issues”

  1. Gustavo Felisberto Says:

    It is always good to see a post that gives info that is clear and to the point. Thanks m8.

  2. Alex Howells Says:

    Thanks for the hard work. I wasn’t aware of the first issue, although the second has made quite a splash lately. Simple testing of 2.6.24-r2 shows it works fine, stable ahoy!

  3. KingTaco Says:

    For the record, grsec/pax seems to be immune from this bug on a wide array of tested machines.

  4. Tobias Scherbaum » Local Root Exploit II Says:

    [...] enthalten die nötigen Korrekturen und sind für x86/amd64 bereits “stable”. Daniel Drake fasst die Fehlerbeschreibung und betroffenen Versionen detailliert [...]

  5. vivo Says:

    http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.24.2 should fix CVE-2008-0600.

  6. grml development blog Says:

    kernel 2.6.23-grml addressing CVE-2008-0009/10 available…

    Kernel 2.6.23-grml.06 is available in the grml repository. It includes latest stable patch 2.6.23.16 which addresses the well known root exploits from CVE-2008-0009/10 (see bugzilla #9924 and debian BTS #464953 and dsd’s detailed explanation for furth…

  7. Pawel Says:

    “there is no configuration option to exclude vmsplice”

    Really?

    $ ./disable-vmsplice-if-exploitable
    PAGE_SIZE: 4096
    ———————————–
    Linux vmsplice Local Root Exploit
    By qaaz
    ———————————–
    [+] mmap: 0×0 .. 0×1000
    [+] page: 0×0
    [+] page: 0×20
    [+] mmap: 0×4000 .. 0×5000
    [+] page: 0×4000
    [+] page: 0×4020
    [+] mmap: 0×1000 .. 0×2000
    [+] page: 0×1000
    [+] mmap: 0xb7db6000 .. 0xb7de8000
    [-] vmsplice: Function not implemented

    $ uname -a
    Linux xxxx 2.6.24-gentoo #8 SMP PREEMPT Fri Feb 8 15:34:20 CET 2008 i686 Intel(R) Core(TM)2 Duo CPU T7700 @ 2.40GHz GenuineIntel GNU/Linux

  8. Daniel Drake Says:

    That’s not a configuration option. And, I haven’t tried myself, but I’ve seen a few reports that that runtime hack can also cause the kernel to crash (not surprising given that the exploit does the same sometimes)

  9. Local Root Exploit | USmith Blog Says:

    [...] den anderen Hosts sah es aber leider nicht so gut aus. Daniel Drake und Tobi hatten es ja die Lücke schon gut beschrieben. Der Exploit ist, wenn man einen lokalen [...]

  10. devBLOG! » Analysis of the two recent Linux 2.6 local exploits (vmsplice) Says:

    [...] started writting a summary of the two recent Linux 2.6 locals but then found Daniel Drake weblog – he’s done an excellent job of pulling all the relevant bits [...]

  11. Divide and Conquer » Blog Archive » The vmsplice local root exploit Says:

    [...] are some Critical Linux kernel vmsplice security issues that hopefully have been patched properly. Fortunately the kernel on this server is too old to be [...]

  12. Kerin Millar Says:

    > # KingTaco Says:
    > February 11th, 2008 at 6:54 am
    >
    > For the record, grsec/pax seems to be immune from this bug on a wide array of tested machines.

    As far as I’m aware the attack only fails to achieve its intended goal if PAX_MEMORY_UDEREF is enabled (which is not supported on x86_64 arch). Even then, the PaX author has warned that stack corruption can occur leading to strange behaviour or crashes later. So let us not be lulled into a false sense of security. Hardened kernel users should upgrade to 2.6.23-r7 which contains the appropriate fixes.

  13. DamionKutaeff Says:

    Hello everybody, my name is Damion, and I’m glad to join your conmunity,
    and wish to assit as far as possible.

  14. EpildtautLiat Says:

    “How many people work here?”
    “Oh, about half.”

    —————————————————————————————————-
    http://ebloggy.com/nolanphillipszc

  15. apengineeringcolleges.info Says:

    apengineeringcolleges.info

    dsd’s weblog » Blog Archive » Critical Linux kernel vmsplice security issues

  16. military civilian resume writer Says:

    military civilian resume writer

    dsd’s weblog » Blog Archive » Critical Linux kernel vmsplice security issues

  17. best resume services houston Says:

    best resume services houston

    dsd’s weblog » Blog Archive » Critical Linux kernel vmsplice security issues

Leave a Reply

You must be logged in to post a comment.