https://seclists.org/oss-sec/2022/q1/54

Home page logo                                             [INS::INS]
  * Nmap Security      /
    Scanner
      + Ref Guide      oss-sec logo oss-sec mailing list archives
      + Install Guide  #  By Date  #       #  By Thread  #       [                        ]
      + Download       [Search]
      + Changelog
      + Book           Linux kernel: Heap buffer overflow in fs_context.c since version 5.1
      + Docs           ---------------------------------------------------------------------
  * Npcap packet       From: Will <willsroot () protonmail com>
    capture library    Date: Tue, 18 Jan 2022 18:21:30 +0000
      + User's Guide   ---------------------------------------------------------------------
      + API docs       
      + Download       There is a heap overflow bug in legacy_parse_param in which the length of data copied can be incremented beyond the
      + Changelog      width of the 1-page slab allocated for it. We currently have created functional LPE exploits against Ubuntu 20.04 and
  * Security Lists     container escape exploits against Google&apos;s hardened COS. The bug was introduced in 5.1-rc1
      + Nmap Announce  (https://github.com/torvalds/linux/commit/3e1aeb00e6d132efc151dacc062b38269bc9eccc#diff-c4a9ea83de4a42a0d1bcbaf1f03ce35188f38da4987e0e7a52aae7f04de14a05)
      + Nmap Dev        and is present in all Linux releases since. As of January 18th, this patch
      + Bugtraq        (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=722d94847de29310e8aa03fcbdb41fc92c521756)
      + Full            fixes this issue.
        Disclosure
      + Pen Test       The bug is caused by an integer underflow present in fs/fs_context.c:legacy_parse_param, which results in
      + Basics         miscalculation of a valid max length. A bounds check is present at fs_context.c:551, returning an error if (len >
      + More           PAGE_SIZE - 2 - size); however, if the value of size is greater than or equal to 4095, the unsigned subtraction will
  * Security Tools     underflow to a massive value greater than len, so the check will not trigger. After this, the attacker may freely write
      + Password audit data out-of-bounds. Changing the check to size + len + 2 > PAGE_SIZE (which the patch did) would fix this.
      + Sniffers
      + Vuln scanners  Exploitation relies on the CAP_SYS_ADMIN capability; however, the permission only needs to be granted in the current
      + Web scanners   namespace. An unprivileged user can use unshare(CLONE_NEWNS|CLONE_NEWUSER) to enter a namespace with the CAP_SYS_ADMIN
      + Wireless       permission, and then proceed with exploitation to root the system.
      + Exploitation
      + Packet
        crafters       ---------------------------------------------------------------------
      + More           
  * Site News          #  By Date  #       #  By Thread  #
  * Advertising
  * About/Contact      Current thread:
  * [                ]
    [Site Search]        * Linux kernel: Heap buffer overflow in fs_context.c since version
  * Sponsors:              5.1 Will (Jan 18)
                             + Re: Linux kernel: Heap buffer overflow in fs_context.c since
    [INS::INS]                 version 5.1 John Haxby (Jan 18)

                                                                    [ Nmap | Npcap | Sec Tools | Mailing Lists | Site News | About/
                                                                                   Contact | Advertising | Privacy ]
                                                                                              [INS::INS]