Received: by 2002:ab2:1347:0:b0:1f4:ac9d:b246 with SMTP id g7csp414491lqg;
        Thu, 11 Apr 2024 06:58:56 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCXIgZLepOaNGU2Hlqn04ZifzWtcaPJNbuANaN97QbbAegWCd0Xylw627+ZEo24QdsWPIoMgKHSWKD44b+D6qU+xGZ/c445ZVwjOUPcAqg==
X-Google-Smtp-Source: AGHT+IEyZAcOgGJ0JsJxI75Jwd/OTF/rO38oX3N0nLw+uITnvaNrv/7IKRzcaP+jUw8e0BndQ2kJ
X-Received: by 2002:ac8:584b:0:b0:431:32e8:6879 with SMTP id h11-20020ac8584b000000b0043132e86879mr7196135qth.61.1712843935930;
        Thu, 11 Apr 2024 06:58:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1712843935; cv=none;
        d=google.com; s=arc-20160816;
        b=0Sk3Ugcob0aEp6KGSoMwpXb6lbJQL8gXM7ljc5HKKKPhvsZ9jfh4AKce+ywczs0HaM
         MakUfs2I9qjXKvs4LkY5OKPtw4Z0RWB9O/XMGn383w6j52sbAOcaMQ3GXBBWCb3PcAYS
         f76UX9Nm/bdQgm+kPiayiEGwVFCJq0UIqbtGqE//MwqO/DDPoiwUxp08KPImQs3W9fg/
         3KqGqdgLMdGJaNZ1bTZ8N9v4sYrAuWCUL0tjy9eAclZ7MI3GyXbjexcJmiMgNYYjPZkn
         wGXyO8viLiUrZtxfm8ftNvpTG/kTW4E1aAUXJrYubdAJUTp6QFMINCGMu9x0OiZ/ZilG
         CsrQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=subject:content-transfer-encoding:in-reply-to:content-language
         :references:to:from:user-agent:mime-version:date:message-id
         :delivered-to:delivered-to:reply-to:list-id:list-subscribe
         :list-unsubscribe:list-help:list-post:precedence:mailing-list;
        bh=uCOkhTsdfRtsE8zgUfiBlscbp5oOnwiTsE6OZIMilao=;
        fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=;
        b=S9DjSWA0IU7wpopYDkiT04Ga6lbxFyeNjQiOBiIXWNSijGlqbmN+aVTUc1dqO5qs/F
         UKcikUhzssPMzqUbxM591wuLddGOkGavEdhP6Yi30Jm+Td0Sr82PzF60QTFdo4pHWItN
         dyIGXUscgQZtIVeU3Gge5bLCUzs3xlxtatmbJV0T2xObNAWrUvke8+0BxURGXI9++FD6
         yyxQJItgTy/4ddJZh+PI1B/CKUwZpC1uWBaoLe2l2O4S40H9NFA4Otq7rD5s8G8tcTAy
         USw+4i3EOzp7my8jtyYm4joCQBy3+0/DZ+yzYWPsAYCRLqrezwloM8D/3TJGWW2+LQ4q
         5ENg==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30003-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30003-linux.lists.archive=gmail.com@lists.openwall.com"
Return-Path: <oss-security-return-30003-linux.lists.archive=gmail.com@lists.openwall.com>
Received: from second.openwall.net (second.openwall.net. [193.110.157.125])
        by mx.google.com with SMTP id f16-20020ac85d10000000b004349ba914a4si1635919qtx.602.2024.04.11.06.58.55
        for <linux.lists.archive@gmail.com>;
        Thu, 11 Apr 2024 06:58:55 -0700 (PDT)
Received-SPF: pass (google.com: domain of oss-security-return-30003-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30003-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30003-linux.lists.archive=gmail.com@lists.openwall.com"
Received: (qmail 28546 invoked by uid 550); 11 Apr 2024 13:44:16 -0000
Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:oss-security@lists.openwall.com>
List-Help: <mailto:oss-security-help@lists.openwall.com>
List-Unsubscribe: <mailto:oss-security-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:oss-security-subscribe@lists.openwall.com>
List-ID: <oss-security.lists.openwall.com>
Reply-To: oss-security@lists.openwall.com
Delivered-To: mailing list oss-security@lists.openwall.com
Delivered-To: moderator for oss-security@lists.openwall.com
Received: (qmail 26099 invoked from network); 11 Apr 2024 07:06:25 -0000
Message-ID: <309df802-f365-47b2-87e1-d361437db76d@molgen.mpg.de>
Date: Thu, 11 Apr 2024 09:06:13 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
From: Donald Buczek <buczek@molgen.mpg.de>
To: oss-security@lists.openwall.com
References: <607d5716-128f-44c5-ab52-6dde4ca6e8a4@christopher-kunz.de>
Content-Language: en-US
In-Reply-To: <607d5716-128f-44c5-ab52-6dde4ca6e8a4@christopher-kunz.de>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [oss-security] New Linux LPE via GSMIOC_SETCONF_DLCI?

On 4/10/24 21:56, Dr. Christopher Kunz wrote:
> Hello all,
> 
> it seems that a new LPE (or two) in the Linux kernel has been dropped. The situation is a bit confusing and after discussing with Alexander off-list, I decided to post the various versions of the bug and the corresponding PoCs.
> 
> Maybe we can clear this up together.
> 
> 1. YuriiCrimson's version (April 6-ish)
> 
> It seems to use GSMIOC_SETCONF_DLCI, PoC supposedly works on current Ubuntu and Debians, but is stopped by LKRG.

Thanks!

For other distros or self-rolled kernels: Depends on CONFIG_N_GSM.

D.

> PoC and writeup are here: https://github.com/YuriiCrimson/ExploitGSM/tree/main
> 
> 2. jmpeaux' version (March 21)
> 
> This seems similar, also using GSMIOC_SETCONF_DLCI. In the screen shots, even the working dir for the PoC is identical to 1). Yurii claims jmpeaux stole his work.
> 
> Writeup: https://jmpeax.dev/The-tale-of-a-GSM-Kernel-LPE.html
> 
> PoC: https://github.com/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit/tree/main
> 
> And then there's
> 
> 3. ZDI-24-020 / CVE-2023-6546 (January)
> 
> This also exploits a race condition resulting UAF in the gsm_dlci struct. It's a little older.
> 
> Writeup and PoC: https://github.com/Nassim-Asrir/ZDI-24-020/
> 
> What do you make of this?
> 
> Best regards,
> 
> --cku
> 

-- 
Donald Buczek
buczek@molgen.mpg.de
Tel: +49 30 8413 1433