Re: Re: Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch

[Solar Designer <solar () openwall com>]

On Sun, Aug 13, 2017 at 06:21:55PM +0200, Andrey Konovalov wrote:
> ### Exploitation
>
> The bug can be exploited by an unprivileged user if:
>
> 1. User can set up an interface with UFO enabled and MTU < 65535 or
> such interface is already present in the system. The former is
> possible from inside a user namespace.
>
> 2. User can disable the NETIF_F_UFO interface feature or set the
> SO_NO_CHECK socket option. The former requires CAP_NET_ADMIN. The
> latter is only possible after 40ba330227ad ("udp: disallow UFO for
> sockets with SO_NO_CHECK option") from Jan 11 2016. Both are possible
> from inside a user namespace.
>
> In particular, the bug can be exploited by an unprivileged user if
> unprivileged user namespaces are available.
>
> Below is a link to a proof-of-concept exploit, that gets root on a
> range of Ubuntu kernels. The exploit triggers an out-of-bounds write
> on a socket buffer and overwrites
> skb_shared_info.destructor_arg->callback with a pointer to shellcode.
> The exploit includes a SMEP and KASLR bypasses, but no SMAP bypass.
>
> Link: https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c

Nice collection of Linux kernel exploits you got there:

https://github.com/xairy/kernel-exploits

Also relevant:

https://github.com/xairy/ubuntu-hardening#restict-information-exposed-by-the-kernel
https://github.com/xairy/kaslr-bypass-via-prefetch
https://github.com/xairy/linux-kernel-exploitation

Still, for archival purposes please attach the actual exploits to your
oss-security postings as well.  I've attached your poc.c for this bug.

Alexander

Attachment: poc.c
Description: