Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20200910145248.GB79015@eldamar.local>
Date: Thu, 10 Sep 2020 16:52:48 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: Andy Lutomirski <luto@...nel.org>
Cc: oss security list <oss-security@...ts.openwall.com>
Subject: Re: CVE Request: Linux kernel vsyscall page
 refcounting error

On Tue, Sep 08, 2020 at 08:33:00AM -0700, Andy Lutomirski wrote:
> Linux 5.7 and 5.8 have a bug in the reference counting of the struct
> page that backs the vsyscall page.  The result is a refcount
> underflow.  This can be triggered by any 64-bit process that is
> permitted to use ptrace() or process_vm_readv().  A creative attacker
> can probably achieve kernel code escalation by using this bug.
> 
> You can prevent the issue from triggering by booting with
> vsyscall=xonly or vsyscall=none.  You can also effectively hotpatch a
> kernel with suitable hardening options by running the updated test
> case noted below -- the test case will underflow the refcount past
> zero, preventing further use of the page.  (A real attacker would
> carefully underflow it exactly to zero but not past.)  Or you can fix
> your kernel.
> 
> (No one should be using vsyscall=emulate any more unless they have a
> very specific use case that requires it.  vsyscall=xonly is better in
> almost all cases.  For some reason, Fedora still seems to be using
> emulate mode, though.)
> 
> Fixed by:
> 
> commit 9fa2dd946743ae6f30dc4830da19147bf100a7f2
> Author: Dave Hansen <dave.hansen@...ux.intel.com>
> Date:   Thu Sep 3 13:40:28 2020 -0700
> 
>     mm: fix pin vs. gup mismatch with gate pages
> 
> and tested a little better by:
> 
> commit 8891adc61dce2a8a41fc0c23262b681c3ec4b73a
> Author: Andy Lutomirski <luto@...nel.org>
> Date:   Thu Sep 3 13:40:30 2020 -0700
> 
>     selftests/x86/test_vsyscall: Improve the process_vm_readv() test

CVE-2020-25221 has been assigned by MITRE for this issue (note one
cannot request anymore CVEs through that list but one can use
https://cveform.mitre.org/)

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.