Date: Mon, 15 Jun 2020 19:02:51 +0200 From: Jann Horn <jannh@...gle.com> To: John Haxby <john.haxby@...cle.com> Cc: oss-security@...ts.openwall.com, "Jason A. Donenfeld" <Jason@...c4.com>, linux-security-module <linux-security-module@...r.kernel.org>, linux-acpi@...r.kernel.org, Matthew Garrett <mjg59@...f.ucam.org>, Kernel Hardening <kernel-hardening@...ts.openwall.com>, Ubuntu Kernel Team <kernel-team@...ts.ubuntu.com> Subject: Re: [oss-security] lockdown bypass on mainline kernel for loading unsigned modules On Mon, Jun 15, 2020 at 6:24 PM John Haxby <john.haxby@...cle.com> wrote: > > On 15 Jun 2020, at 11:26, Jason A. Donenfeld <Jason@...c4.com> wrote: > > Yesterday, I found a lockdown bypass in Ubuntu 18.04's kernel using > > ACPI table tricks via the efi ssdt variable . Today I found another > > one that's a bit easier to exploit and appears to be unpatched on > > mainline, using acpi_configfs to inject an ACPI table. The tricks are > > basically the same as the first one, but this one appears to be > > unpatched, at least on my test machine. Explanation is in the header > > of the PoC: > > > > https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh > > > > I need to get some sleep, but if nobody posts a patch in the > > meanwhile, I'll try to post a fix tomorrow. > > > > Jason > > > >  https://www.openwall.com/lists/oss-security/2020/06/14/1 > > > This looks CVE-worthy. Are you going to ask for a CVE for it? Does it really make sense to dole out CVEs for individual lockdown bypasses when various areas of the kernel (such as filesystems and BPF) don't see root->kernel privilege escalation issues as a problem? It's not like applying the fix for this one issue is going to make systems meaningfully safer.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.