|
Message-ID: <20230725123152.GG19212@suse.de> Date: Tue, 25 Jul 2023 14:31:55 +0200 From: Marcus Meissner <meissner@...e.de> To: oss-security@...ts.openwall.com Cc: Tamas Koczka <poprdi@...omium.org> Subject: Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Hi, https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html has been updated with exploit information. I tried to backtrack through kernel git to find the exact commit where this locking problem got fixed, but I gave up after a while after multiple refactoring (and a filemove) in the io_uring codel. Cia, Marcus On Wed, Jul 19, 2023 at 09:47:15AM +0200, Marcus Meissner wrote: > Hi, > > On Fri, Jul 14, 2023 at 08:06:56PM +0200, Solar Designer wrote: > > Hi, > > > > Thank you for bringing this to oss-security back then. I have a few > > questions below that I think you could clarify for everyone. I'll quote > > more of your message than I normally do since it's been a while. > > ... > > > There's a recent write-up on an exploitation technique that also > > partially describes CVE-2023-21400, "a double free vulnerability in > > io_uring [...] found by Ye Zhang and [Nicolas Wu] last year, affecting > > kernel 5.10. [...] we exploit CVE-2023-21400 with Dirty Pagetable on > > Google Pixel 7." > > > > Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel > > https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html > > > > I wish this vulnerability and exploitation technique were properly > > brought to oss-security on its own, and in a context not limited to > > Google Pixel. Maybe it will be once the full description is made > > public, as right now the write-up above omits vulnerability detail. > > > > It appears that this got patched in the July 5 update for Google Pixel: > > > > Pixel Update Bulletin - July 2023 > > Published July 5, 2023 > > https://source.android.com/docs/security/bulletin/pixel/2023-07-01 > > > > "For Google devices, security patch levels of 2023-07-05 or later > > address all issues in this bulletin and all issues in the July 2023 > > Android Security Bulletin." > > > > "CVE-2023-21400 A-264663832 * EoP Moderate Kernel io_uring" > > > > Nothing is mentioned about seccomp-bpf on either of the above web pages, > > although maybe it's factored into the Moderate severity rating? > > > > I understand that with vulnerability detail still not public you might > > not be able to tell much, but I am wondering whether there's any > > inconsistency here (seccomp-bpf on Android was meant to prevent this, > > but did not?) or just a misunderstanding or something else. I wonder > > if a vulnerability in io_uring could be such that it's exploitable > > without io_uring access directly from the attacking app. > > FWIW we reached out to the Android CNA team, but their statement back > to us was that they pulled quite a number of backport commits into their 5.5 > and 5.10 based trees, but did either not specify nor identify specific commits > fixing the issue (or further details) so far. > > Ciao, Marcus -- Marcus Meissner (he/him), Distinguished Engineer / Senior Project Manager Security SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany GF: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman, HRB 36809, AG Nuernberg
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.