Date: Wed, 22 Jun 2016 12:28:38 +0300 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: [vs-plain] Linux kernel stack overflow via ecryptfs and /proc/$pid/environ On Fri, Jun 10, 2016 at 02:46:23PM -0700, John Johansen wrote: > This is a forward notification of a local priv escalation flaw from > security@...nel.org to the OSS security list. The CRD was for > 2016-06-08 14:00:00 UTC. Patches attached to the email. > > The flaw in eCryptfs was assigned CVE-2016-1583. The Project Zero issue is now public: https://bugs.chromium.org/p/project-zero/issues/detail?id=836 and it includes an exploit, which I've re-attached. (The rest of the files, including the crasher, were already posted in here by John.) > Subject: [PATCH 2/3] ecryptfs: forbid opening files without mmap handler https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2f36db71009304b3f0b95afacd8eba1f9f046b87 > Subject: [PATCH 1/3] proc: prevent stacking filesystems on top https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9 > Subject: [PATCH 3/3] sched: panic on corrupted stack end Not committed? Andy Lutomirski is working on virtually mapped stacks with guard pages so that kernel stack overflows would be detected: http://www.openwall.com/lists/kernel-hardening/2016/06/15/1 http://www.openwall.com/lists/kernel-hardening/2016/06/20/14 Linus wants the 1.5us overhead on task creation to be reduced before this gets merged: http://www.openwall.com/lists/kernel-hardening/2016/06/21/10 Alexander View attachment "exploit-description.txt" of type "text/plain" (11816 bytes) Download attachment "exploit.tar.gz" of type "application/x-gzip" (6377 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ