Re: Linux Kernel: local priv escalation via futexes

[Marcus Meissner <meissner () suse de>]

Hi,

Mitre has now assigned CVE-2021-3347.

On Fri, Jan 29, 2021 at 05:42:08PM +0100, Solar Designer wrote:
> Hi,
>
> I'm not familiar with futexes, but just to save others a few minutes on
> looking this up:

(Is anyone? Futex are too complex for me at least, I would guess also 
 using them is error prone.)

> On Fri, Jan 29, 2021 at 11:09:28AM +0100, Marcus Meissner wrote:
> >        - Address a longstanding issue where the user space part of the PI
> >          futex is not writeable. The kernel returns with inconsistent state
> >          which can in the worst case result in a UAF of a tasks kernel
> >          stack.
> >
> >          The solution is to establish consistent kernel state which makes
> >          future operations on the futex fail because user space and kernel
> >          space state are inconsistent. Not a problem as PI futexes
> >          fundamentaly require a functional RW mapping and if user space
> >          pulls the rug under it, then it can keep the pieces it asked for.
>
> >     * tag 'locking-urgent-2021-01-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
> >       futex: Handle faults correctly for PI futexes
>
> FWIW, this commit has:
>
> Fixes: 1b7558e457ed ("futexes: fix fault handling in futex_lock_pi")
>
> and that other commit is from 2008.  So probably all currently
> maintained Linux distros and deployments are affected, unless something
> else mitigated the issue in some kernel versions.

Yes, goes back to a long history, sorry for leaving this out.

Ciao, Marcus