A local root kernel vulnerability

submited by
Style Pass
2021-07-20 19:30:08

We discovered a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer: by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer.

It may not sound like much, but they claim to have written exploits for a number of Ubuntu, Debian, and Fedora distributions. Updates from distributors are already flowing, and this patch has been fast-tracked into today's stable kernel updates as well. (Log in to post comments)

A local root kernel vulnerability Posted Jul 20, 2021 15:12 UTC (Tue) by rahulsundaram (subscriber, #21946) [Link] It would be nice if the Linux kernel developers transparently communicate in their commit messages if the commit was intended to resolve a known security issue. A local root kernel vulnerability Posted Jul 20, 2021 16:11 UTC (Tue) by bpearlmutter (subscriber, #14693) [Link] It's very hard to draw a line between "regular bugs" and "bugs with security implications". Very often, bugs that were thought to not have security implications turn out to be exploitable. It's also not a very interesting endeavor. So they decided to just punt on it: fix all the bugs, and let others decide which to back-port. A local root kernel vulnerability Posted Jul 20, 2021 17:01 UTC (Tue) by darwi (subscriber, #131202) [Link] Fix all the bugs, sure. But don’t intentionally deteriorate the commit log of critical security fixes to hide their main rationale…. Compare the advisory text against the commit log. Whom are we kidding? There should’ve been, at least, a “Link: ” tag in the commit log pointing to the advisory. But no, let’s hide our tracks instead…. A local root kernel vulnerability Posted Jul 20, 2021 17:08 UTC (Tue) by darwi (subscriber, #131202) [Link] Correction: The commit predates the advisory e-mail (duh, sorry), but it should've added a proper summary and an honest rationale. A local root kernel vulnerability Posted Jul 20, 2021 17:21 UTC (Tue) by rgmoore (✭ supporter ✭, #75) [Link] It's very hard to draw a line between "regular bugs" and "bugs with security implications". Yes and no. It's true that it's difficult to exclude security implications from "regular bugs"; there's always a possibility a sufficiently clever attacker could find a way to exploit them. But it would be good to come right out and say it when there's a known exploit. I understand the kernel people are worried that mentioning known exploits for some bugs would give people a false sense of security about other ones, but I think that's a highly questionable argument. If you're fixing a known exploit, let people know! A local root kernel vulnerability Posted Jul 20, 2021 15:18 UTC (Tue) by darwi (subscriber, #131202) [Link] It is really sad that, in this day and age, linux kernel security fixes commit logs are still intentionally written to "hide things under the rug." Commit messages Posted Jul 20, 2021 15:41 UTC (Tue) by proski (subscriber, #104) [Link] Do you have a specific suggestion how to handle such issues better? It would be interesting to explore alternatives. A local root kernel vulnerability Posted Jul 20, 2021 16:50 UTC (Tue) by ccezar (subscriber, #2749) [Link] Well, the total path length exceeding 1GB is not, how to say, normal thing.

Compare the advisory text against the commit log. Whom are we kidding? There should’ve been, at least, a “Link: ” tag in the commit log pointing to the advisory. But no, let’s hide our tracks instead….

Leave a Comment