oss-sec mailing list archives
Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring
From: Marcus Meissner <meissner () suse de>
Date: Wed, 19 Jul 2023 09:47:15 +0200
Hi, On Fri, Jul 14, 2023 at 08:06:56PM +0200, Solar Designer wrote:
Hi, Thank you for bringing this to oss-security back then. I have a few questions below that I think you could clarify for everyone. I'll quote more of your message than I normally do since it's been a while.
...
There's a recent write-up on an exploitation technique that also partially describes CVE-2023-21400, "a double free vulnerability in io_uring [...] found by Ye Zhang and [Nicolas Wu] last year, affecting kernel 5.10. [...] we exploit CVE-2023-21400 with Dirty Pagetable on Google Pixel 7." Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html I wish this vulnerability and exploitation technique were properly brought to oss-security on its own, and in a context not limited to Google Pixel. Maybe it will be once the full description is made public, as right now the write-up above omits vulnerability detail. It appears that this got patched in the July 5 update for Google Pixel: Pixel Update Bulletin - July 2023 Published July 5, 2023 https://source.android.com/docs/security/bulletin/pixel/2023-07-01 "For Google devices, security patch levels of 2023-07-05 or later address all issues in this bulletin and all issues in the July 2023 Android Security Bulletin." "CVE-2023-21400 A-264663832 * EoP Moderate Kernel io_uring" Nothing is mentioned about seccomp-bpf on either of the above web pages, although maybe it's factored into the Moderate severity rating? I understand that with vulnerability detail still not public you might not be able to tell much, but I am wondering whether there's any inconsistency here (seccomp-bpf on Android was meant to prevent this, but did not?) or just a misunderstanding or something else. I wonder if a vulnerability in io_uring could be such that it's exploitable without io_uring access directly from the attacking app.
FWIW we reached out to the Android CNA team, but their statement back to us was that they pulled quite a number of backport commits into their 5.5 and 5.10 based trees, but did either not specify nor identify specific commits fixing the issue (or further details) so far. Ciao, Marcus
Current thread:
- Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Solar Designer (Jul 14)
- Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Marcus Meissner (Jul 19)
- Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Marcus Meissner (Jul 25)
- Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Solar Designer (Jul 25)
- Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Marcus Meissner (Jul 25)
- Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Tamás Koczka (Jul 19)
- Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Marcus Meissner (Jul 19)