oss-sec mailing list archives
Re: Re: Linux Kernel bpf related UAF
From: Daniel Borkmann <daniel () iogearbox net>
Date: Tue, 14 Jun 2016 10:04:18 +0200
On 05/12/2016 05:27 PM, cve-assign () mitre org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256the following reproducer will cause a UAF of a previously allocated memory in bpf. You can reproduce with linux kernel master, or 4.6-rc6 4.6-rc7 and maybe other kernel versions.int main(int argc, char **argv) ... r[0] = syscall(SYS_mmap, ... ... r[5] = syscall(SYS_bpf, ...Use CVE-2016-4794. (We did not run any tests, or look for other information, to investigate whether the same reproducer or a similar reproducer affects any kernel version that's considered stable or longterm.)
Just fyi, the issues have been fixed in the kernel's percpu allocator: - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4f996e234dad488e5d9ba0858bc1bae12eff82c3 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6710e594f71ccaad8101bc64321152af7cd9ea28
- -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXNKCMAAoJEHb/MwWLVhi2g8QP/3vBTsa8xuk8NWYWsv3jwNGu Ugpl+hUdkQHW4aFzxx96nePBPZpfVeNCGRMdtlCcKVb9wFNUSbRwDPBHFXrfKz9R KVf9VHi4CMcBlvPS0MvGZg52SQPAAO7O7cCWpEAdhyxW2gPPxKYo98x4xNuNVlWx POD/dVK9ll261g6W+CUSYPtwJgIrPSddnnNCUvbB+XIvV87MGSLp+nE6h8I3L2Yp ZisKaT6z6aHqqC0bcySk6V04UlbkfL83eahAz5bWvZeywUEjYvN+kOUlgR8TOxLC 8bIQ28Q043XM3VC853rhPQqe5enV6KDRrLgDu1paeFdKYcaHjGkHvkwjRfxjJZIC EsNdEl2vGjB1iGTUnFiUep9BteZBRrwfmaTE1yAseaUjEAx/3UK85PpTEqmNkON6 1HCInP0LOeZMcggVzBKgRKCXKJZiInxEtSBXhxnPGgxagkOD7enw86gWflSqz3ca wdRm/oADgCrQk6CsSGgusCouSyndC/T6ZRCa2/7vCecm2BBi8gxRuT4TZem3A6Ij x+zfK7QaMDtELPGL+/rVOSgVCTaihz7oGeBKzqJeuyAv7zN0LxYoNlBsmsoBSTYJ Uftvf0T7JTR3AQd1+tB2kOnyGOW4jSCNu66xNifR29j1C7jvKB0+uh891s/3mkzo Wttcn/XLKpzXFWtN+mjb =DWFZ -----END PGP SIGNATURE-----
Current thread:
- Linux Kernel bpf related UAF Marco Grassi (May 12)
- Re: Linux Kernel bpf related UAF cve-assign (May 12)
- Re: Linux Kernel bpf related UAF Marco Grassi (May 12)
- Re: Re: Linux Kernel bpf related UAF Daniel Borkmann (Jun 14)
- Re: Linux Kernel bpf related UAF cve-assign (May 12)