oss-sec mailing list archives
Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring
From: Marcus Meissner <meissner () suse de>
Date: Tue, 25 Jul 2023 14:31:55 +0200
Hi, https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html has been updated with exploit information. I tried to backtrack through kernel git to find the exact commit where this locking problem got fixed, but I gave up after a while after multiple refactoring (and a filemove) in the io_uring codel. Cia, Marcus On Wed, Jul 19, 2023 at 09:47:15AM +0200, Marcus Meissner wrote:
Hi, On Fri, Jul 14, 2023 at 08:06:56PM +0200, Solar Designer wrote:Hi, Thank you for bringing this to oss-security back then. I have a few questions below that I think you could clarify for everyone. I'll quote more of your message than I normally do since it's been a while....There's a recent write-up on an exploitation technique that also partially describes CVE-2023-21400, "a double free vulnerability in io_uring [...] found by Ye Zhang and [Nicolas Wu] last year, affecting kernel 5.10. [...] we exploit CVE-2023-21400 with Dirty Pagetable on Google Pixel 7." Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html I wish this vulnerability and exploitation technique were properly brought to oss-security on its own, and in a context not limited to Google Pixel. Maybe it will be once the full description is made public, as right now the write-up above omits vulnerability detail. It appears that this got patched in the July 5 update for Google Pixel: Pixel Update Bulletin - July 2023 Published July 5, 2023 https://source.android.com/docs/security/bulletin/pixel/2023-07-01 "For Google devices, security patch levels of 2023-07-05 or later address all issues in this bulletin and all issues in the July 2023 Android Security Bulletin." "CVE-2023-21400 A-264663832 * EoP Moderate Kernel io_uring" Nothing is mentioned about seccomp-bpf on either of the above web pages, although maybe it's factored into the Moderate severity rating? I understand that with vulnerability detail still not public you might not be able to tell much, but I am wondering whether there's any inconsistency here (seccomp-bpf on Android was meant to prevent this, but did not?) or just a misunderstanding or something else. I wonder if a vulnerability in io_uring could be such that it's exploitable without io_uring access directly from the attacking app.FWIW we reached out to the Android CNA team, but their statement back to us was that they pulled quite a number of backport commits into their 5.5 and 5.10 based trees, but did either not specify nor identify specific commits fixing the issue (or further details) so far. Ciao, Marcus
-- Marcus Meissner (he/him), Distinguished Engineer / Senior Project Manager Security SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany GF: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman, HRB 36809, AG Nuernberg
Current thread:
- Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Solar Designer (Jul 14)
- Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Marcus Meissner (Jul 19)
- Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Marcus Meissner (Jul 25)
- Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Solar Designer (Jul 25)
- Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Marcus Meissner (Jul 25)
- Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Tamás Koczka (Jul 19)
- Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Marcus Meissner (Jul 19)