Contrary to what I've been reading, I can confirm this on feisty, at
least with AMD processor:

[EMAIL PROTECTED]:~$ grep "model name" /proc/cpuinfo
model name      : Dual-Core AMD Opteron(tm) Processor 2218
model name      : Dual-Core AMD Opteron(tm) Processor 2218
model name      : Dual-Core AMD Opteron(tm) Processor 2218
model name      : Dual-Core AMD Opteron(tm) Processor 2218
[EMAIL PROTECTED]:~$ uname -a
Linux pie 2.6.20-16-generic #2 SMP Thu Jan 31 22:39:18 UTC 2008 x86_64 GNU/Linux
[EMAIL PROTECTED]:~$ ./exploit 
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x100000000000 .. 0x100000001000
[+] page: 0x100000000000
[+] page: 0x100000000038
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4038
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0x2ac0a9f0d000 .. 0x2ac0a9f3f000
[+] root
[EMAIL PROTECTED]:~# whoami
root
[EMAIL PROTECTED]:~# 

I also confirm the suggested hotfix (disable-vmsplice-if-exploitable.c)
works:

[EMAIL PROTECTED]:~$ cc disable-vmsplice-if-exploitable.c 
[EMAIL PROTECTED]:~$ ./a.out 
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x100000000000 .. 0x100000001000
[+] page: 0x100000000000
[+] page: 0x100000000038
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4038
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0x2acad5163000 .. 0x2acad5195000
[+] root
Exploit gone!
[EMAIL PROTECTED]:~$ ./exploit 
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x100000000000 .. 0x100000001000
[+] page: 0x100000000000
[+] page: 0x100000000038
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4038
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0x2b010025b000 .. 0x2b010028d000
[-] vmsplice
[EMAIL PROTECTED]:~$ whoami
ycsapo

-- 
Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
https://bugs.launchpad.net/bugs/190587
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to