Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 29 Jan 2021 17:42:08 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Linux Kernel: local priv escalation via futexes

Hi,

I'm not familiar with futexes, but just to save others a few minutes on
looking this up:

On Fri, Jan 29, 2021 at 11:09:28AM +0100, Marcus Meissner wrote:
>        - Address a longstanding issue where the user space part of the PI
>          futex is not writeable. The kernel returns with inconsistent state
>          which can in the worst case result in a UAF of a tasks kernel
>          stack.
> 
>          The solution is to establish consistent kernel state which makes
>          future operations on the futex fail because user space and kernel
>          space state are inconsistent. Not a problem as PI futexes
>          fundamentaly require a functional RW mapping and if user space
>          pulls the rug under it, then it can keep the pieces it asked for.

>     * tag 'locking-urgent-2021-01-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
>       futex: Handle faults correctly for PI futexes

FWIW, this commit has:

Fixes: 1b7558e457ed ("futexes: fix fault handling in futex_lock_pi")

and that other commit is from 2008.  So probably all currently
maintained Linux distros and deployments are affected, unless something
else mitigated the issue in some kernel versions.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.