All of lore.kernel.org
 help / color / mirror / Atom feed
From: Greg KH <gregkh@linuxfoundation.org>
To: Jiri Slaby <jirislaby@kernel.org>
Cc: Minh Yuan <yuanmingbuaa@gmail.com>,
	oss-security@lists.openwall.com,
	Linux kernel mailing list <linux-kernel@vger.kernel.org>
Subject: Re: [oss-security] CVE-2020-25656: Linux kernel concurrency UAF in vt_do_kdgkb_ioctl
Date: Fri, 16 Oct 2020 09:03:49 +0200	[thread overview]
Message-ID: <20201016070349.GA574432@kroah.com> (raw)
In-Reply-To: <09826e03-525c-d307-5bfe-f51cb9298e1f@kernel.org>

On Fri, Oct 16, 2020 at 08:58:34AM +0200, Jiri Slaby wrote:
> Cc Greg.
> 
> On 16. 10. 20, 5:39, Minh Yuan wrote:
> > Hi,
> > 
> > We recently discovered a uaf read in vt_do_kdgkb_ioctl from linux kernel
> > version 3.4 to the latest version (v5.9 for now).
> > 
> > The root cause of this vulnerability is that there exits a race in
> > KDGKBSENT and KDSKBSENT.
> > 
> > Here are details:
> > 1. use  KDSKBSENT to allocate a lager heap buffer to funcbufptr;
> > 2. use KDGKBSENT to obtain the allocated heap pointer in step1 by
> > func_table, at the same time, due to KDGKBSENT has no lock, we can use
> > KDSKBSENT again to allocate a larger buffer than step1, and the old
> > funcbufptr will be freed. However, we've obtained the heap pointer in
> > KDGKBSENT, so a uaf read will happen while executing put_user.
> 
> Hi,
> 
> this is likely the issue I am fixing at:
> https://git.kernel.org/pub/scm/linux/kernel/git/jirislaby/linux.git/commit/?h=devel&id=57c85191e788e172a446e34ef77d34473cfb1e8d
> 
> I think, it won't apply cleanly as it's a part of a larger set. I will
> reorder the patch and send something during the day.

Great, thanks for looking into this!

greg k-h

      reply	other threads:[~2020-10-16  7:03 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CAH5WSp4F5HZfN9VASpJKgBuuN3QM3HrVbcW8jOhjocwcGqkJYw () mail ! gmail ! com>
2020-10-16  6:58 ` [oss-security] CVE-2020-25656: Linux kernel concurrency UAF in vt_do_kdgkb_ioctl Jiri Slaby
2020-10-16  7:03   ` Greg KH [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201016070349.GA574432@kroah.com \
    --to=gregkh@linuxfoundation.org \
    --cc=jirislaby@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=oss-security@lists.openwall.com \
    --cc=yuanmingbuaa@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.