oss-sec mailing list archives
Re: Linux Kernel: local priv escalation via futexes
From: Solar Designer <solar () openwall com>
Date: Fri, 29 Jan 2021 17:42:08 +0100
Hi, I'm not familiar with futexes, but just to save others a few minutes on looking this up: On Fri, Jan 29, 2021 at 11:09:28AM +0100, Marcus Meissner wrote:
- Address a longstanding issue where the user space part of the PI
futex is not writeable. The kernel returns with inconsistent state
which can in the worst case result in a UAF of a tasks kernel
stack.
The solution is to establish consistent kernel state which makes
future operations on the futex fail because user space and kernel
space state are inconsistent. Not a problem as PI futexes
fundamentaly require a functional RW mapping and if user space
pulls the rug under it, then it can keep the pieces it asked for.
* tag 'locking-urgent-2021-01-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
futex: Handle faults correctly for PI futexes
FWIW, this commit has:
Fixes: 1b7558e457ed ("futexes: fix fault handling in futex_lock_pi")
and that other commit is from 2008. So probably all currently
maintained Linux distros and deployments are affected, unless something
else mitigated the issue in some kernel versions.
Alexander
Current thread:
- Linux Kernel: local priv escalation via futexes Marcus Meissner (Jan 29)
- Re: Linux Kernel: local priv escalation via futexes Solar Designer (Jan 29)
- Re: Linux Kernel: local priv escalation via futexes Marcus Meissner (Jan 29)
- Re: Linux Kernel: local priv escalation via futexes David A. Wheeler (Jan 29)
- Re: Linux Kernel: local priv escalation via futexes Solar Designer (Feb 01)
- Re: Linux Kernel: local priv escalation via futexes Marcus Meissner (Jan 29)
- Re: Linux Kernel: local priv escalation via futexes Solar Designer (Jan 29)