Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 14 Jun 2016 10:04:18 +0200
From: Daniel Borkmann <daniel@...earbox.net>
To: oss-security@...ts.openwall.com
CC: marco.gra@...il.com, cve-assign@...re.org
Subject: Re: Re: Linux Kernel bpf related UAF

On 05/12/2016 05:27 PM, cve-assign@...re.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>> the following reproducer will cause a UAF of a previously allocated memory
>> in bpf.
>>
>> You can reproduce with linux kernel master, or 4.6-rc6 4.6-rc7 and maybe
>> other kernel versions.
>
>> int main(int argc, char **argv)
>> ...
>> r[0] = syscall(SYS_mmap, ...
>> ...
>> r[5] = syscall(SYS_bpf, ...
>
> Use CVE-2016-4794. (We did not run any tests, or look for other
> information, to investigate whether the same reproducer or a similar
> reproducer affects any kernel version that's considered stable or
> longterm.)

Just fyi, the issues have been fixed in the kernel's percpu allocator:

   - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4f996e234dad488e5d9ba0858bc1bae12eff82c3
   - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6710e594f71ccaad8101bc64321152af7cd9ea28

> - --
> CVE Assignment Team
> M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
> [ A PGP key is available for encrypted communications at
>    http://cve.mitre.org/cve/request_id.html ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBCAAGBQJXNKCMAAoJEHb/MwWLVhi2g8QP/3vBTsa8xuk8NWYWsv3jwNGu
> Ugpl+hUdkQHW4aFzxx96nePBPZpfVeNCGRMdtlCcKVb9wFNUSbRwDPBHFXrfKz9R
> KVf9VHi4CMcBlvPS0MvGZg52SQPAAO7O7cCWpEAdhyxW2gPPxKYo98x4xNuNVlWx
> POD/dVK9ll261g6W+CUSYPtwJgIrPSddnnNCUvbB+XIvV87MGSLp+nE6h8I3L2Yp
> ZisKaT6z6aHqqC0bcySk6V04UlbkfL83eahAz5bWvZeywUEjYvN+kOUlgR8TOxLC
> 8bIQ28Q043XM3VC853rhPQqe5enV6KDRrLgDu1paeFdKYcaHjGkHvkwjRfxjJZIC
> EsNdEl2vGjB1iGTUnFiUep9BteZBRrwfmaTE1yAseaUjEAx/3UK85PpTEqmNkON6
> 1HCInP0LOeZMcggVzBKgRKCXKJZiInxEtSBXhxnPGgxagkOD7enw86gWflSqz3ca
> wdRm/oADgCrQk6CsSGgusCouSyndC/T6ZRCa2/7vCecm2BBi8gxRuT4TZem3A6Ij
> x+zfK7QaMDtELPGL+/rVOSgVCTaihz7oGeBKzqJeuyAv7zN0LxYoNlBsmsoBSTYJ
> Uftvf0T7JTR3AQd1+tB2kOnyGOW4jSCNu66xNifR29j1C7jvKB0+uh891s/3mkzo
> Wttcn/XLKpzXFWtN+mjb
> =DWFZ
> -----END PGP SIGNATURE-----
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ