From: Jann Horn <jannh@google.com>
To: John Haxby <john.haxby@oracle.com>
Cc: oss-security@lists.openwall.com,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
linux-security-module <linux-security-module@vger.kernel.org>,
linux-acpi@vger.kernel.org, Matthew Garrett <mjg59@srcf.ucam.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
Ubuntu Kernel Team <kernel-team@lists.ubuntu.com>
Subject: Re: [oss-security] lockdown bypass on mainline kernel for loading unsigned modules
Date: Mon, 15 Jun 2020 19:02:51 +0200 [thread overview]
Message-ID: <CAG48ez3fQbBLUBUkSaF-0b_DhL8M_1JU4DKkjTYXGB_6G1RgiA@mail.gmail.com> (raw)
In-Reply-To: <206DB19C-0117-4F4B-AFF7-212E40CB8C75@oracle.com>
On Mon, Jun 15, 2020 at 6:24 PM John Haxby <john.haxby@oracle.com> wrote:
> > On 15 Jun 2020, at 11:26, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> > Yesterday, I found a lockdown bypass in Ubuntu 18.04's kernel using
> > ACPI table tricks via the efi ssdt variable [1]. Today I found another
> > one that's a bit easier to exploit and appears to be unpatched on
> > mainline, using acpi_configfs to inject an ACPI table. The tricks are
> > basically the same as the first one, but this one appears to be
> > unpatched, at least on my test machine. Explanation is in the header
> > of the PoC:
> >
> > https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh
> >
> > I need to get some sleep, but if nobody posts a patch in the
> > meanwhile, I'll try to post a fix tomorrow.
> >
> > Jason
> >
> > [1] https://www.openwall.com/lists/oss-security/2020/06/14/1
>
>
> This looks CVE-worthy. Are you going to ask for a CVE for it?
Does it really make sense to dole out CVEs for individual lockdown
bypasses when various areas of the kernel (such as filesystems and
BPF) don't see root->kernel privilege escalation issues as a problem?
It's not like applying the fix for this one issue is going to make
systems meaningfully safer.
next prev parent reply other threads:[~2020-06-15 17:03 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-15 10:26 lockdown bypass on mainline kernel for loading unsigned modules Jason A. Donenfeld
2020-06-15 10:43 ` [PATCH] acpi: disallow loading configfs acpi tables when locked down Jason A. Donenfeld
2020-06-16 22:20 ` Jason A. Donenfeld
2020-06-17 8:37 ` Ard Biesheuvel
2020-06-17 8:42 ` Jason A. Donenfeld
2020-06-17 16:52 ` Kaneda, Erik
2020-06-22 14:45 ` Rafael J. Wysocki
2020-06-15 16:22 ` [oss-security] lockdown bypass on mainline kernel for loading unsigned modules John Haxby
2020-06-15 17:02 ` Jann Horn [this message]
2020-06-15 17:28 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAG48ez3fQbBLUBUkSaF-0b_DhL8M_1JU4DKkjTYXGB_6G1RgiA@mail.gmail.com \
--to=jannh@google.com \
--cc=Jason@zx2c4.com \
--cc=john.haxby@oracle.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=kernel-team@lists.ubuntu.com \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@srcf.ucam.org \
--cc=oss-security@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).