[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Linux Kernel: local priv escalation via futexes
From:       Marcus Meissner <meissner () suse ! de>
Date:       2021-01-29 17:01:11
Message-ID: 20210129170111.GO2759 () suse ! de
[Download RAW message or body]

Hi,

Mitre has now assigned CVE-2021-3347.

On Fri, Jan 29, 2021 at 05:42:08PM +0100, Solar Designer wrote:
> Hi,
> 
> I'm not familiar with futexes, but just to save others a few minutes on
> looking this up:

(Is anyone? Futex are too complex for me at least, I would guess also 
 using them is error prone.)

> On Fri, Jan 29, 2021 at 11:09:28AM +0100, Marcus Meissner wrote:
> >        - Address a longstanding issue where the user space part of the PI
> >          futex is not writeable. The kernel returns with inconsistent state
> >          which can in the worst case result in a UAF of a tasks kernel
> >          stack.
> > 
> >          The solution is to establish consistent kernel state which makes
> >          future operations on the futex fail because user space and kernel
> >          space state are inconsistent. Not a problem as PI futexes
> >          fundamentaly require a functional RW mapping and if user space
> >          pulls the rug under it, then it can keep the pieces it asked for.
> 
> >     * tag 'locking-urgent-2021-01-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
> >       futex: Handle faults correctly for PI futexes
> 
> FWIW, this commit has:
> 
> Fixes: 1b7558e457ed ("futexes: fix fault handling in futex_lock_pi")
> 
> and that other commit is from 2008.  So probably all currently
> maintained Linux distros and deployments are affected, unless something
> else mitigated the issue in some kernel versions.

Yes, goes back to a long history, sorry for leaving this out.

Ciao, Marcus
[prev in list] [next in list] [prev in thread] [next in thread]