Date: Fri, 29 Jan 2021 17:42:08 +0100 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: Linux Kernel: local priv escalation via futexes Hi, I'm not familiar with futexes, but just to save others a few minutes on looking this up: On Fri, Jan 29, 2021 at 11:09:28AM +0100, Marcus Meissner wrote: > - Address a longstanding issue where the user space part of the PI > futex is not writeable. The kernel returns with inconsistent state > which can in the worst case result in a UAF of a tasks kernel > stack. > > The solution is to establish consistent kernel state which makes > future operations on the futex fail because user space and kernel > space state are inconsistent. Not a problem as PI futexes > fundamentaly require a functional RW mapping and if user space > pulls the rug under it, then it can keep the pieces it asked for. > * tag 'locking-urgent-2021-01-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: > futex: Handle faults correctly for PI futexes FWIW, this commit has: Fixes: 1b7558e457ed ("futexes: fix fault handling in futex_lock_pi") and that other commit is from 2008. So probably all currently maintained Linux distros and deployments are affected, unless something else mitigated the issue in some kernel versions. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.