New Linux LPE via GSMIOC_SETCONF_DLCI?

["Dr. Christopher Kunz" <info () christopher-kunz de>]

Hello all,

it seems that a new LPE (or two) in the Linux kernel has been dropped. The situation is a bit confusing and after 
discussing with Alexander off-list, I decided to post the various versions of the bug and the corresponding PoCs.

Maybe we can clear this up together.

1. YuriiCrimson's version (April 6-ish)

It seems to use GSMIOC_SETCONF_DLCI, PoC supposedly works on current Ubuntu and Debians, but is stopped by LKRG.

PoC and writeup are here: https://github.com/YuriiCrimson/ExploitGSM/tree/main

2. jmpeaux' version (March 21)

This seems similar, also using GSMIOC_SETCONF_DLCI. In the screen shots, even the working dir for the PoC is identical 
to 1). Yurii claims jmpeaux stole his work.

Writeup: https://jmpeax.dev/The-tale-of-a-GSM-Kernel-LPE.html

PoC: https://github.com/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit/tree/main

And then there's

3. ZDI-24-020 / CVE-2023-6546 (January)

This also exploits a race condition resulting UAF in the gsm_dlci struct. It's a little older.

Writeup and PoC: https://github.com/Nassim-Asrir/ZDI-24-020/

What do you make of this?

Best regards,

--cku