oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Linux Kernel bpf related UAF

From: Daniel Borkmann <daniel () iogearbox net>
Date: Tue, 14 Jun 2016 10:04:18 +0200
On 05/12/2016 05:27 PM, cve-assign () mitre org wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


the following reproducer will cause a UAF of a previously allocated memory
in bpf.

You can reproduce with linux kernel master, or 4.6-rc6 4.6-rc7 and maybe
other kernel versions.



int main(int argc, char **argv)
...
r[0] = syscall(SYS_mmap, ...
...
r[5] = syscall(SYS_bpf, ...


Use CVE-2016-4794. (We did not run any tests, or look for other
information, to investigate whether the same reproducer or a similar
reproducer affects any kernel version that's considered stable or
longterm.)


Just fyi, the issues have been fixed in the kernel's percpu allocator:

  - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4f996e234dad488e5d9ba0858bc1bae12eff82c3
  - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6710e594f71ccaad8101bc64321152af7cd9ea28


- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
   http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXNKCMAAoJEHb/MwWLVhi2g8QP/3vBTsa8xuk8NWYWsv3jwNGu
Ugpl+hUdkQHW4aFzxx96nePBPZpfVeNCGRMdtlCcKVb9wFNUSbRwDPBHFXrfKz9R
KVf9VHi4CMcBlvPS0MvGZg52SQPAAO7O7cCWpEAdhyxW2gPPxKYo98x4xNuNVlWx
POD/dVK9ll261g6W+CUSYPtwJgIrPSddnnNCUvbB+XIvV87MGSLp+nE6h8I3L2Yp
ZisKaT6z6aHqqC0bcySk6V04UlbkfL83eahAz5bWvZeywUEjYvN+kOUlgR8TOxLC
8bIQ28Q043XM3VC853rhPQqe5enV6KDRrLgDu1paeFdKYcaHjGkHvkwjRfxjJZIC
EsNdEl2vGjB1iGTUnFiUep9BteZBRrwfmaTE1yAseaUjEAx/3UK85PpTEqmNkON6
1HCInP0LOeZMcggVzBKgRKCXKJZiInxEtSBXhxnPGgxagkOD7enw86gWflSqz3ca
wdRm/oADgCrQk6CsSGgusCouSyndC/T6ZRCa2/7vCecm2BBi8gxRuT4TZem3A6Ij
x+zfK7QaMDtELPGL+/rVOSgVCTaihz7oGeBKzqJeuyAv7zN0LxYoNlBsmsoBSTYJ
Uftvf0T7JTR3AQd1+tB2kOnyGOW4jSCNu66xNifR29j1C7jvKB0+uh891s/3mkzo
Wttcn/XLKpzXFWtN+mjb
=DWFZ
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: