oss-sec mailing list archives
Linux kernel: Exploitable vulnerabilities in AF_VSOCK implementation
From: Alexander Popov <alex.popov () linux com>
Date: Fri, 5 Feb 2021 00:43:31 +0300
Hello! Let me inform you about the Linux kernel vulnerabilities that I've found in AF_VSOCK implementation. I managed to exploit one of them for a local privilege escalation on Fedora Server 33 for x86_64, bypassing SMEP and SMAP. I'm going to share all the details about the exploit techniques later. CONFIG_VSOCKETS and CONFIG_VIRTIO_VSOCKETS are shipped as kernel modules in all major GNU/Linux distributions. The vulnerable modules are automatically loaded when you create a socket for AF_VSOCK. That is available for unprivileged users and user namespaces are not needed for that. These vulnerabilities are race conditions caused by wrong locking in net/vmw_vsock/af_vsock.c. The race conditions were implicitly introduced in November 2019 in the commits c0cfa2d8a788fcf4 and 6a2c0962105ae8ce that added VSOCK multi-transport support. These commits were merged in the Linux kernel v5.5-rc1. I prepared the fixing patch and made responsible disclosure to security () kernel org. Now the patch is merged into the mainline kernel: "vsock: fix the race conditions in multi-transport support" https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c518adafa39f37858697ac9309c6cf1805581446 This patch is also backported into the affected stable trees. I've requested a CVE ID for these vulnerabilities at https://cveform.mitre.org/. Best regards, Alexander
Current thread:
- Linux kernel: Exploitable vulnerabilities in AF_VSOCK implementation Alexander Popov (Feb 04)
- Re: Linux kernel: Exploitable vulnerabilities in AF_VSOCK implementation Alexander Popov (Feb 05)