[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Linux Kernel: local priv escalation via futexes
From: Marcus Meissner <meissner () suse ! de>
Date: 2021-01-29 17:01:11
Message-ID: 20210129170111.GO2759 () suse ! de
[Download RAW message or body]
Hi,
Mitre has now assigned CVE-2021-3347.
On Fri, Jan 29, 2021 at 05:42:08PM +0100, Solar Designer wrote:
> Hi,
>
> I'm not familiar with futexes, but just to save others a few minutes on
> looking this up:
(Is anyone? Futex are too complex for me at least, I would guess also
using them is error prone.)
> On Fri, Jan 29, 2021 at 11:09:28AM +0100, Marcus Meissner wrote:
> > - Address a longstanding issue where the user space part of the PI
> > futex is not writeable. The kernel returns with inconsistent state
> > which can in the worst case result in a UAF of a tasks kernel
> > stack.
> >
> > The solution is to establish consistent kernel state which makes
> > future operations on the futex fail because user space and kernel
> > space state are inconsistent. Not a problem as PI futexes
> > fundamentaly require a functional RW mapping and if user space
> > pulls the rug under it, then it can keep the pieces it asked for.
>
> > * tag 'locking-urgent-2021-01-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
> > futex: Handle faults correctly for PI futexes
>
> FWIW, this commit has:
>
> Fixes: 1b7558e457ed ("futexes: fix fault handling in futex_lock_pi")
>
> and that other commit is from 2008. So probably all currently
> maintained Linux distros and deployments are affected, unless something
> else mitigated the issue in some kernel versions.
Yes, goes back to a long history, sorry for leaving this out.
Ciao, Marcus
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic