fcheblog » systemtap-based band-aid for linux kernel vmsplice exploit

2008-02-10 22:47 | fche blog tech systemtap-based band-aid for linux kernel vmsplice exploit

So it turns out that once in a long while, slashdot serves to notify one of interesting news. If you are looking for a temporary band-aid to patch over this linux kernel security bug, consider the following systemtap script. While running, it will neuter all sys_vmsplice calls by overwriting one of the incoming parameters.

# stap -g -e 'probe syscall.vmsplice {
   printf("blocking vmsplice (%s) uid %d pid %d exec %s\n", argstr, uid(), pid(), execname())
   $nr_segs = 0
}'
blocking vmsplice (4, 0x00007fff25697ac0, 1, 0x0) uid 500 pid 32475 exec a.out
blocking vmsplice (4, 0x00007fff8c1da600, 1, 0x0) uid 500 pid 32476 exec a.out
blocking vmsplice (4, 0x00007fff71aaeed0, 1, 0x0) uid 500 pid 32477 exec a.out
blocking vmsplice (4, 0x00007fff215efa10, 1, 0x0) uid 500 pid 32478 exec a.out

UPDATE: If your systemtap doesn’t understand “syscall.vmsplice”, add this piece into
the script and try again:

probe syscall.vmsplice = kernel.function("sys_vmsplice") ? {
        name = "vmsplice"
        argstr = sprintf("%d, %p, %d, 0x%x", $fd, $iov, $nr_segs, $flags)
}

Hey, why not keep it running until you install a patched kernel and are ready to boot into it?

Trackback link:

Please enable javascript to generate a trackback url

Name:

Remember personal info?
Yes
No

Email:

URL:

Comment:

/ Textile

(Register your username / Log in)

Notify:		Yes, send me email when someone replies.
Hide email:		Yes, hide my email address.

Small print: All html tags except <b> and <i> will be removed from your comment. You can make links by just typing the url or mail-address.