Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 22 Jun 2016 12:28:38 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: [vs-plain] Linux kernel stack overflow via ecryptfs and /proc/$pid/environ

On Fri, Jun 10, 2016 at 02:46:23PM -0700, John Johansen wrote:
> This is a forward notification of a local priv escalation flaw from
> security@...nel.org to the OSS security list. The CRD was for
> 2016-06-08 14:00:00 UTC. Patches attached to the email.
> 
> The flaw in eCryptfs was assigned CVE-2016-1583.

The Project Zero issue is now public:

https://bugs.chromium.org/p/project-zero/issues/detail?id=836

and it includes an exploit, which I've re-attached.  (The rest of the
files, including the crasher, were already posted in here by John.)

> Subject: [PATCH 2/3] ecryptfs: forbid opening files without mmap handler

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2f36db71009304b3f0b95afacd8eba1f9f046b87

> Subject: [PATCH 1/3] proc: prevent stacking filesystems on top

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9

> Subject: [PATCH 3/3] sched: panic on corrupted stack end

Not committed?

Andy Lutomirski is working on virtually mapped stacks with guard pages
so that kernel stack overflows would be detected:

http://www.openwall.com/lists/kernel-hardening/2016/06/15/1
http://www.openwall.com/lists/kernel-hardening/2016/06/20/14

Linus wants the 1.5us overhead on task creation to be reduced before
this gets merged:

http://www.openwall.com/lists/kernel-hardening/2016/06/21/10

Alexander

View attachment "exploit-description.txt" of type "text/plain" (11816 bytes)

Download attachment "exploit.tar.gz" of type "application/x-gzip" (6377 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ