Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 29 Jan 2021 11:09:28 +0100
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Linux Kernel: local priv escalation via futexes

Hi,

Yesterday a patchset was merged to Linux Kernel mainline, which could be used
to execute code in the kernel due to bugs in PI futexes.

I am filing a CVE request just now.

Ciao, Marcus

merge commit:

commit c64396cc36c6e60704ab06c1fb1c4a46179c9120
Merge: e5ff2cb9cf67 34b1a1ce1458
Author: Linus Torvalds <torvalds@...ux-foundation.org>
Date:   Thu Jan 28 11:18:43 2021 -0800

    Pull locking fixes from Thomas Gleixner:
     "A set of PI futex fixes:

       - Address a longstanding issue where the user space part of the PI
         futex is not writeable. The kernel returns with inconsistent state
         which can in the worst case result in a UAF of a tasks kernel
         stack.

         The solution is to establish consistent kernel state which makes
         future operations on the futex fail because user space and kernel
         space state are inconsistent. Not a problem as PI futexes
         fundamentaly require a functional RW mapping and if user space
         pulls the rug under it, then it can keep the pieces it asked for.

       - Address an issue where the return value is incorrect in case that
         the futex was acquired after a timeout/signal made the waiter drop
         out of the rtmutex wait.

         In one of the corner cases the kernel returned an error code
         despite having successfully acquired the futex"

    * tag 'locking-urgent-2021-01-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
      futex: Handle faults correctly for PI futexes
      futex: Simplify fixup_pi_state_owner()
      futex: Use pi_state_update_owner() in put_pi_state()
      rtmutex: Remove unused argument from rt_mutex_proxy_unlock()
      futex: Provide and use pi_state_update_owner()
      futex: Replace pointless printk in fixup_owner()
      futex: Ensure the correct return value from futex_lock_pi()

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.