oss-sec mailing list archives
Re: Linux kernel: Heap buffer overflow in fs_context.c since version 5.1
From: John Haxby <john.haxby () oracle com>
Date: Tue, 18 Jan 2022 18:57:57 +0000
On 18 Jan 2022, at 18:21, Will <willsroot () protonmail com> wrote: There is a heap overflow bug in legacy_parse_param in which the length of data copied can be incremented beyond the width of the 1-page slab allocated for it. We currently have created functional LPE exploits against Ubuntu 20.04 and container escape exploits against Google's hardened COS. The bug was introduced in 5.1-rc1 (https://github.com/torvalds/linux/commit/3e1aeb00e6d132efc151dacc062b38269bc9eccc#diff-c4a9ea83de4a42a0d1bcbaf1f03ce35188f38da4987e0e7a52aae7f04de14a05) and is present in all Linux releases since. As of January 18th, this patch (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=722d94847de29310e8aa03fcbdb41fc92c521756) fixes this issue. The bug is caused by an integer underflow present in fs/fs_context.c:legacy_parse_param, which results in miscalculation of a valid max length. A bounds check is present at fs_context.c:551, returning an error if (len > PAGE_SIZE - 2 - size); however, if the value of size is greater than or equal to 4095, the unsigned subtraction will underflow to a massive value greater than len, so the check will not trigger. After this, the attacker may freely write data out-of-bounds. Changing the check to size + len + 2 > PAGE_SIZE (which the patch did) would fix this. Exploitation relies on the CAP_SYS_ADMIN capability; however, the permission only needs to be granted in the current namespace. An unprivileged user can use unshare(CLONE_NEWNS|CLONE_NEWUSER) to enter a namespace with the CAP_SYS_ADMIN permission, and then proceed with exploitation to root the system.
This is CVE-2022-0185 jch
Attachment:
signature.asc
Description: Message signed with OpenPGP
Current thread:
- Linux kernel: Heap buffer overflow in fs_context.c since version 5.1 Will (Jan 18)
- Re: Linux kernel: Heap buffer overflow in fs_context.c since version 5.1 John Haxby (Jan 18)