|
Message-ID: <20210129170111.GO2759@suse.de> Date: Fri, 29 Jan 2021 18:01:11 +0100 From: Marcus Meissner <meissner@...e.de> To: oss-security@...ts.openwall.com Subject: Re: Linux Kernel: local priv escalation via futexes Hi, Mitre has now assigned CVE-2021-3347. On Fri, Jan 29, 2021 at 05:42:08PM +0100, Solar Designer wrote: > Hi, > > I'm not familiar with futexes, but just to save others a few minutes on > looking this up: (Is anyone? Futex are too complex for me at least, I would guess also using them is error prone.) > On Fri, Jan 29, 2021 at 11:09:28AM +0100, Marcus Meissner wrote: > > - Address a longstanding issue where the user space part of the PI > > futex is not writeable. The kernel returns with inconsistent state > > which can in the worst case result in a UAF of a tasks kernel > > stack. > > > > The solution is to establish consistent kernel state which makes > > future operations on the futex fail because user space and kernel > > space state are inconsistent. Not a problem as PI futexes > > fundamentaly require a functional RW mapping and if user space > > pulls the rug under it, then it can keep the pieces it asked for. > > > * tag 'locking-urgent-2021-01-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: > > futex: Handle faults correctly for PI futexes > > FWIW, this commit has: > > Fixes: 1b7558e457ed ("futexes: fix fault handling in futex_lock_pi") > > and that other commit is from 2008. So probably all currently > maintained Linux distros and deployments are affected, unless something > else mitigated the issue in some kernel versions. Yes, goes back to a long history, sorry for leaving this out. Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.