Re: New Linux LPE via GSMIOC_SETCONF_DLCI?

[Solar Designer <solar () openwall com>]

On Thu, Apr 11, 2024 at 10:32:59AM +0200, Dr. Christopher Kunz wrote:
> on a freshly installed and fully updated default Debian 12 VM (from the 
> current netinst iso), the first two exploits yield different results.
>
> > PoC and writeup are here: 
> > https://github.com/YuriiCrimson/ExploitGSM/tree/main
>
> This, let's call it "Yurii's version", works as advertised:
>
> $ ./ExploitGSM debian
> kallsyms restricted, begin retvial kallsyms table
> detected kernel path-> /boot/vmlinuz-6.1.0-18-amd64
> detected compressed format -> xz
> Uncompressed kernel size -> 65902908
> successfully taken kernel!
> begin try leak startup_xen!
> startup_xen leaked address  -> ffffffff8c86f1c0
> text leaked address         -> ffffffff8a800000
> lockdep_map_size     -> 32
> spinlock_t_size      -> 4
> mutex_size           -> 32
> gsm_mux_event_offset -> 56
> Let go thread
> We get root, spawn shell
> root@debianexploitgsm:/root# id
> uid=0(root) gid=0(root) groups=0(root)

There are two exploits in Yurii's repo above, according to Yurii for two
different bugs.  The above is one of them.  Perhaps also try the other?

> With regards to Yurii's PoC, I'd say that this can indeed be classified 
> as a working 0day LPE in the default configuration.
>
> We don't have a CVE for this yet, do we?

I don't know, and apparently it'd need to be two CVEs for two bugs that
Yurii exploits.

Besides the already mentioned CVE-2023-6546, there is:

CVE-2023-52564: Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux"
https://lists.openwall.net/linux-cve-announce/2024/03/02/54

The fixes for both CVE-2023-6546 and CVE-2023-52564 are in
gsm_cleanup_mux(), but they seem to be different changes in there.

Maybe CVE-2023-52564 is one of the bugs Yurii exploits, or maybe not.
I didn't look into this closely enough to tell.

Alexander