Critical Linux kernel vmsplice security issues

There have been 2 significant security flaws found in the Linux kernel, accompanied by plenty of misinformation and confusion. This is my attempt to clear things up a bit.

The short story: If you are running Linux 2.6.17 or newer then any user who has local console or SSH terminal access to your machine can easily become root or crash the system. If this is a problem for you, then you need to upgrade to gentoo-sources-2.6.23-r8 or gentoo-sources-2.6.24-r2. At the time of writing, there are no official released upstream kernels which solve the issues – Linux 2.6.24.1 and 2.6.23.15 are vulnerable.

The longer story:

There are actually two separate security issues in question here. However, they both have the same impact (any user can adjust kernel memory and hence become root), and both issues exist within the implementation of the vmsplice() system call. vmsplice() was added in Linux 2.6.17 and is built into every kernel build – there is no configuration option to exclude vmsplice. Two separate exploits have been publicly released which exploit each of the two issues respectively.

The first security issue under discussion was added in Linux 2.6.23 (obviously unintentionally!). This means that 2.6.22 and older are not vulnerable to the first exploit. This issue was fixed by this patch in Linux 2.6.23.15 and Linux 2.6.24.1. This vulnerability has been classified with two codes: CVE-2008-0009 and CVE-2008-0010.

The second security issue is more serious. Firstly, it has existed for the entire lifetime of vmsplice() which means that any kernel version 2.6.17 or newer is vulnerable. Secondly, it is not fixed in any upstream kernel release at time of writing, but the fix has been merged into Linus’ upstream development tree. This vulnerability has been assigned ID CVE-2008-0600.

gentoo-sources-2.6.23-r7 and gentoo-sources-2.6.24-r1 include the fix for the first issue, but are still vulnerable to the second (which is equally serious).

gentoo-sources-2.6.23-r8 and gentoo-sources-2.6.24-r2 include the fix for the second issue and are hence secured against all known vmsplice exploits at this point in time. 2.6.23-r8 will be marked stable when I wake up 7-8 hours from now, so testing of that release would be appreciated.

UPDATE: gentoo-sources-2.6.23-r8 is now stable, and upstream have also released the following which fix all currently known issues: Linux 2.6.23.16, 2.6.24.2 and 2.6.25-rc1.

14 thoughts on “Critical Linux kernel vmsplice security issues

  1. Alex Howells

    Thanks for the hard work. I wasn’t aware of the first issue, although the second has made quite a splash lately. Simple testing of 2.6.24-r2 shows it works fine, stable ahoy!

  2. Pingback: Tobias Scherbaum » Local Root Exploit II

  3. Pingback: grml development blog

  4. Pawel

    “there is no configuration option to exclude vmsplice”

    Really?

    $ ./disable-vmsplice-if-exploitable
    PAGE_SIZE: 4096
    ———————————–
    Linux vmsplice Local Root Exploit
    By qaaz
    ———————————–
    [+] mmap: 0x0 .. 0x1000
    [+] page: 0x0
    [+] page: 0x20
    [+] mmap: 0x4000 .. 0x5000
    [+] page: 0x4000
    [+] page: 0x4020
    [+] mmap: 0x1000 .. 0x2000
    [+] page: 0x1000
    [+] mmap: 0xb7db6000 .. 0xb7de8000
    [-] vmsplice: Function not implemented

    $ uname -a
    Linux xxxx 2.6.24-gentoo #8 SMP PREEMPT Fri Feb 8 15:34:20 CET 2008 i686 Intel(R) Core(TM)2 Duo CPU T7700 @ 2.40GHz GenuineIntel GNU/Linux

  5. Daniel Drake Post author

    That’s not a configuration option. And, I haven’t tried myself, but I’ve seen a few reports that that runtime hack can also cause the kernel to crash (not surprising given that the exploit does the same sometimes)

  6. Pingback: Local Root Exploit | USmith Blog

  7. Pingback: devBLOG! » Analysis of the two recent Linux 2.6 local exploits (vmsplice)

  8. Pingback: Divide and Conquer » Blog Archive » The vmsplice local root exploit

  9. Kerin Millar

    > # KingTaco Says:
    > February 11th, 2008 at 6:54 am
    >
    > For the record, grsec/pax seems to be immune from this bug on a wide array of tested machines.

    As far as I’m aware the attack only fails to achieve its intended goal if PAX_MEMORY_UDEREF is enabled (which is not supported on x86_64 arch). Even then, the PaX author has warned that stack corruption can occur leading to strange behaviour or crashes later. So let us not be lulled into a false sense of security. Hardened kernel users should upgrade to 2.6.23-r7 which contains the appropriate fixes.

  10. DamionKutaeff

    Hello everybody, my name is Damion, and I’m glad to join your conmunity,
    and wish to assit as far as possible.

Comments are closed.