oss-sec mailing list archives
Re: Linux kernel futex local privilege escalation (CVE-2014-3153)
From: Solar Designer <solar () openwall com>
Date: Thu, 5 Jun 2014 19:24:30 +0400
Greg, Thomas - On Thu, Jun 05, 2014 at 06:45:45PM +0400, Solar Designer wrote:
This was handled via linux-distros, hence the mandatory oss-security posting. The issue was made public earlier today, and is included in this Debian advisory: https://lists.debian.org/debian-security-announce/2014/msg00130.html --- CVE-2014-3153 Pinkie Pie discovered an issue in the futex subsystem that allows a local user to gain ring 0 control via the futex syscall. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation. --- I've attached patches by Thomas Gleixner (four e-mails, in mbox format),
Can you comment on how the four patches: Subject: [patch 1/4] futex-prevent-requeue-pi-on-same-futex.patch Subject: [patch 2/4] futex: Validate atomic acquisition in Subject: [patch 3/4] futex: Always cleanup owner tid in unlock_pi Subject: [patch 4/4] futex: Make lookup_pi_state more robust relate to these two on LKML: Subject: [PATCH 3.14 001/228] futex: Add another early deadlock detection check Subject: [PATCH 3.14 002/228] futex: Prevent attaching to kernel threads http://lists.openwall.net/linux-kernel/2014/06/05/179 http://lists.openwall.net/linux-kernel/2014/06/05/176 3.10: http://lists.openwall.net/linux-kernel/2014/06/04/894 http://lists.openwall.net/linux-kernel/2014/06/04/893 3.4: http://lists.openwall.net/linux-kernel/2014/06/05/437 http://lists.openwall.net/linux-kernel/2014/06/05/436 It appears that "futex: Add another early deadlock detection check" is assumed to have been applied, and is being revised further by "futex: Make lookup_pi_state more robust", but "futex: Prevent attaching to kernel threads" is a patch on its own, not touched by the four patches. Correct? Should distros be applying "futex: Prevent attaching to kernel threads" as well (back-porting it as necessary)? Does it have security impact (it appears so)? Thanks, and sorry for my confusion. Alexander
Current thread:
- Linux kernel futex local privilege escalation (CVE-2014-3153) Solar Designer (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Solar Designer (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Greg KH (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Kees Cook (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Phil Turnbull (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) John Johansen (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Rich Felker (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Solar Designer (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Rich Felker (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Thomas Gleixner (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) rf (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Greg KH (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Solar Designer (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Solar Designer (Jun 05)