oss-sec mailing list archives
Re: Linux Kernel: local priv escalation via futexes
From: Marcus Meissner <meissner () suse de>
Date: Fri, 29 Jan 2021 18:01:11 +0100
Hi, Mitre has now assigned CVE-2021-3347. On Fri, Jan 29, 2021 at 05:42:08PM +0100, Solar Designer wrote:
Hi, I'm not familiar with futexes, but just to save others a few minutes on looking this up:
(Is anyone? Futex are too complex for me at least, I would guess also using them is error prone.)
On Fri, Jan 29, 2021 at 11:09:28AM +0100, Marcus Meissner wrote:- Address a longstanding issue where the user space part of the PI futex is not writeable. The kernel returns with inconsistent state which can in the worst case result in a UAF of a tasks kernel stack. The solution is to establish consistent kernel state which makes future operations on the futex fail because user space and kernel space state are inconsistent. Not a problem as PI futexes fundamentaly require a functional RW mapping and if user space pulls the rug under it, then it can keep the pieces it asked for.* tag 'locking-urgent-2021-01-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: futex: Handle faults correctly for PI futexesFWIW, this commit has: Fixes: 1b7558e457ed ("futexes: fix fault handling in futex_lock_pi") and that other commit is from 2008. So probably all currently maintained Linux distros and deployments are affected, unless something else mitigated the issue in some kernel versions.
Yes, goes back to a long history, sorry for leaving this out. Ciao, Marcus
Current thread:
- Linux Kernel: local priv escalation via futexes Marcus Meissner (Jan 29)
- Re: Linux Kernel: local priv escalation via futexes Solar Designer (Jan 29)
- Re: Linux Kernel: local priv escalation via futexes Marcus Meissner (Jan 29)
- Re: Linux Kernel: local priv escalation via futexes David A. Wheeler (Jan 29)
- Re: Linux Kernel: local priv escalation via futexes Solar Designer (Feb 01)
- Re: Linux Kernel: local priv escalation via futexes Marcus Meissner (Jan 29)
- Re: Linux Kernel: local priv escalation via futexes Solar Designer (Jan 29)