oss-sec mailing list archives
Re: Linux kernel: Exploitable vulnerabilities in AF_VSOCK implementation
From: Alexander Popov <alex.popov () linux com>
Date: Fri, 05 Feb 2021 18:33:26 +0300
On February 5, 2021 12:43:31 AM GMT+03:00, Alexander Popov <alex.popov () linux com> wrote:
Hello! Let me inform you about the Linux kernel vulnerabilities that I've found in AF_VSOCK implementation. I managed to exploit one of them for a local privilege escalation on Fedora Server 33 for x86_64, bypassing SMEP and SMAP. I'm going to share all the details about the exploit techniques later. CONFIG_VSOCKETS and CONFIG_VIRTIO_VSOCKETS are shipped as kernel modules in all major GNU/Linux distributions. The vulnerable modules are automatically loaded when you create a socket for AF_VSOCK. That is available for unprivileged users and user namespaces are not needed for that. These vulnerabilities are race conditions caused by wrong locking in net/vmw_vsock/af_vsock.c. The race conditions were implicitly introduced in November 2019 in the commits c0cfa2d8a788fcf4 and 6a2c0962105ae8ce that added VSOCK multi-transport support. These commits were merged in the Linux kernel v5.5-rc1. I prepared the fixing patch and made responsible disclosure to security () kernel org. Now the patch is merged into the mainline kernel: "vsock: fix the race conditions in multi-transport support" https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c518adafa39f37858697ac9309c6cf1805581446 This patch is also backported into the affected stable trees. I've requested a CVE ID for these vulnerabilities at https://cveform.mitre.org/.
CVE-2021-26708 is assigned to these issues: https://nvd.nist.gov/vuln/detail/CVE-2021-26708 Best regards, Alexander
Current thread:
- Linux kernel: Exploitable vulnerabilities in AF_VSOCK implementation Alexander Popov (Feb 04)
- Re: Linux kernel: Exploitable vulnerabilities in AF_VSOCK implementation Alexander Popov (Feb 05)