Local root exploit in Linux kernels 2.6.17 to 2.6.24
Posted by Taoufix on Feb 11th, 2008 in Computers
The exploit allow local users to gain root access using a “proof of concept” exploit. The exploit worked on my machine (Kernel 2.6.22-gentoo-r2).
The bug report:
And here’s a working patch:
— a/fs/splice.c
+++ b/fs/splice.c
@@ -1234,7 +1234,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
if (unlikely(!len))
break;
error = -EFAULT;
- if (unlikely(!base))
+ if (!access_ok(VERIFY_READ, base, len))
break;
+++ b/fs/splice.c
@@ -1234,7 +1234,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
if (unlikely(!len))
break;
error = -EFAULT;
- if (unlikely(!base))
+ if (!access_ok(VERIFY_READ, base, len))
break;
/*
