Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 25 Jul 2023 14:31:55 +0200
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Cc: Tamas Koczka <poprdi@...omium.org>
Subject: Re: Our learnings from 42 Linux kernel exploits, we
 are limiting io_uring

Hi,

https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html

has been updated with exploit information.

I tried to backtrack through kernel git to find the exact commit where
this locking problem got fixed, but I gave up after a while after multiple
refactoring (and a filemove) in the io_uring codel.

Cia, Marcus

On Wed, Jul 19, 2023 at 09:47:15AM +0200, Marcus Meissner wrote:
> Hi,
> 
> On Fri, Jul 14, 2023 at 08:06:56PM +0200, Solar Designer wrote:
> > Hi,
> > 
> > Thank you for bringing this to oss-security back then.  I have a few
> > questions below that I think you could clarify for everyone.  I'll quote
> > more of your message than I normally do since it's been a while.
> 
> ...
> 
> > There's a recent write-up on an exploitation technique that also
> > partially describes CVE-2023-21400, "a double free vulnerability in
> > io_uring [...] found by Ye Zhang and [Nicolas Wu] last year, affecting
> > kernel 5.10. [...] we exploit CVE-2023-21400 with Dirty Pagetable on
> > Google Pixel 7."
> > 
> > Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel
> > https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html
> > 
> > I wish this vulnerability and exploitation technique were properly
> > brought to oss-security on its own, and in a context not limited to
> > Google Pixel.  Maybe it will be once the full description is made
> > public, as right now the write-up above omits vulnerability detail.
> > 
> > It appears that this got patched in the July 5 update for Google Pixel:
> > 
> > Pixel Update Bulletin - July 2023
> > Published July 5, 2023
> > https://source.android.com/docs/security/bulletin/pixel/2023-07-01
> > 
> > "For Google devices, security patch levels of 2023-07-05 or later
> > address all issues in this bulletin and all issues in the July 2023
> > Android Security Bulletin."
> > 
> > "CVE-2023-21400	A-264663832 *	EoP	Moderate	Kernel io_uring"
> > 
> > Nothing is mentioned about seccomp-bpf on either of the above web pages,
> > although maybe it's factored into the Moderate severity rating?
> > 
> > I understand that with vulnerability detail still not public you might
> > not be able to tell much, but I am wondering whether there's any
> > inconsistency here (seccomp-bpf on Android was meant to prevent this,
> > but did not?) or just a misunderstanding or something else.  I wonder
> > if a vulnerability in io_uring could be such that it's exploitable
> > without io_uring access directly from the attacking app.
> 
> FWIW we reached out to the Android CNA team, but their statement back
> to us was that they pulled quite a number of backport commits into their 5.5
> and 5.10 based trees, but did either not specify nor identify specific commits
> fixing the issue (or further details) so far.
> 
> Ciao, Marcus

-- 
Marcus Meissner (he/him), Distinguished Engineer / Senior Project Manager Security
SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany
GF: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman, HRB 36809, AG Nuernberg

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.