Opened 11 months ago
Closed 11 months ago
New point version.
Now version 5.8.7
Now version 5.8.8
This has a security fix in it
Date: Tue, 8 Sep 2020 08:33:00 -0700
From: Andy Lutomirski <luto@...nel.org>
To: oss security list <oss-security@...ts.openwall.com>
Subject: CVE Request: Linux kernel vsyscall page refcounting error
Linux 5.7 and 5.8 have a bug in the reference counting of the struct
page that backs the vsyscall page. The result is a refcount
underflow. This can be triggered by any 64-bit process that is
permitted to use ptrace() or process_vm_readv(). A creative attacker
can probably achieve kernel code escalation by using this bug.
You can prevent the issue from triggering by booting with
vsyscall=xonly or vsyscall=none. You can also effectively hotpatch a
kernel with suitable hardening options by running the updated test
case noted below -- the test case will underflow the refcount past
zero, preventing further use of the page. (A real attacker would
carefully underflow it exactly to zero but not past.) Or you can fix
(No one should be using vsyscall=emulate any more unless they have a
very specific use case that requires it. vsyscall=xonly is better in
almost all cases. For some reason, Fedora still seems to be using
emulate mode, though.)
Author: Dave Hansen <dave.hansen@...ux.intel.com>
Date: Thu Sep 3 13:40:28 2020 -0700
mm: fix pin vs. gup mismatch with gate pages
and tested a little better by:
Author: Andy Lutomirski <luto@...nel.org>
Date: Thu Sep 3 13:40:30 2020 -0700
selftests/x86/test_vsyscall: Improve the process_vm_readv() test
Now version 5.8.9.
Fixed at revision 12047.
Powered by Trac 1.5.3.dev0
By Edgewall Software
© 1998-2021 Gerard Beekmans.