oss-sec mailing list archives
Re: [vs-plain] Linux kernel stack overflow via ecryptfs and /proc/$pid/environ
From: Solar Designer <solar () openwall com>
Date: Wed, 22 Jun 2016 12:28:38 +0300
On Fri, Jun 10, 2016 at 02:46:23PM -0700, John Johansen wrote:
This is a forward notification of a local priv escalation flaw from security () kernel org to the OSS security list. The CRD was for 2016-06-08 14:00:00 UTC. Patches attached to the email. The flaw in eCryptfs was assigned CVE-2016-1583.
The Project Zero issue is now public: https://bugs.chromium.org/p/project-zero/issues/detail?id=836 and it includes an exploit, which I've re-attached. (The rest of the files, including the crasher, were already posted in here by John.)
Subject: [PATCH 2/3] ecryptfs: forbid opening files without mmap handler
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2f36db71009304b3f0b95afacd8eba1f9f046b87
Subject: [PATCH 1/3] proc: prevent stacking filesystems on top
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9
Subject: [PATCH 3/3] sched: panic on corrupted stack end
Not committed? Andy Lutomirski is working on virtually mapped stacks with guard pages so that kernel stack overflows would be detected: http://www.openwall.com/lists/kernel-hardening/2016/06/15/1 http://www.openwall.com/lists/kernel-hardening/2016/06/20/14 Linus wants the 1.5us overhead on task creation to be reduced before this gets merged: http://www.openwall.com/lists/kernel-hardening/2016/06/21/10 Alexander
Attachment:
exploit-description.txt
Description:
Attachment:
exploit.tar.gz
Description:
Current thread:
- [vs-plain] Linux kernel stack overflow via ecryptfs and /proc/$pid/environ John Johansen (Jun 10)
- Re: [vs-plain] Linux kernel stack overflow via ecryptfs and /proc/$pid/environ Willy Tarreau (Jun 10)
- Re: [vs-plain] Linux kernel stack overflow via ecryptfs and /proc/$pid/environ Solar Designer (Jun 22)