Received: by 2002:ab2:1347:0:b0:1f4:ac9d:b246 with SMTP id g7csp463188lqg;
        Thu, 11 Apr 2024 08:05:31 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCVaNy59qNp4yCdQ0/jbYArbbK5zG4Q0DwVnsKS/3qKwZES9rZJYs3pGNC8mCj7uppbdWEbTFhwYvnsjYE+KNPSPJb0ba1+ludP5vgFqEg==
X-Google-Smtp-Source: AGHT+IFFOTlYP0Z0wauhcDkDh1LvQnNuTcV4rlmA82I5XLv0XjmbfQ1Z0S9R+ma2rYb93s+9x6Na
X-Received: by 2002:a05:622a:802d:b0:435:7a:6037 with SMTP id jr45-20020a05622a802d00b00435007a6037mr4860320qtb.45.1712847930712;
        Thu, 11 Apr 2024 08:05:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1712847930; cv=none;
        d=google.com; s=arc-20160816;
        b=A6Gswcd1zXzXMq1RlINUWV7m5zePgS43DCGAis8H5Hm3vK/ZK8twB6+miUn5tgQca0
         W3gllt/oasO6UxhHCDJqXiBnmhUhgo4Q6i7bCVCc/KxO7t2p9eeksM7Fvzbi8gmlwIA5
         lT2rJKAwHX0uogHLdSUF4hSdoRETGYL2CHvnkfvWk8Wjdm44gxiktFdJ2AJ4+Fes5ojW
         cGns1FwfN8t2K+T+YddzITrB7Yr4Bv/YavGqg2PsR/j/O9iPHepfMv1br2ZLUGwVOhgQ
         LMbHG0Dql+uoETlMYLToUM4ZNakhfu5PQFPLee9lOj90N7TOvtcbITmNhfborH5SL8WL
         SMaw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=subject:content-transfer-encoding:in-reply-to:autocrypt:from
         :references:to:user-agent:mime-version:date:message-id:delivered-to
         :delivered-to:reply-to:list-id:list-subscribe:list-unsubscribe
         :list-help:list-post:precedence:mailing-list;
        bh=ixJFZYHaGSazxIvs8rH3gwKdDzZRMrQ0Gez1Or9ZP2s=;
        fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=;
        b=ft6dydjXvq2+sV70Y5Z0a7fvG1zSJA6AopKm8ZwCeG/b467Z1lzsnhnL5DGROTHsTH
         iUXh0IT08bQcdEm7BU0ToD2JWXkWSwoJgH/M427rChP09CpeT2ODvPyTBCnJkjOQvI3w
         Ggjm9PT1F2feEkDFUmgFlw9dK5tgucpdj9qRtyLuIrItJdk7DSzaO07Klr9EqQSsc0C3
         7ghi5Zp6FlvfPLVBYyGOqjt8D2v+rZ1yiSDV/k/Nn8Sn3wdS2yDIWSxj+qVT3C8FpRie
         RAv+iiMtOJSWLeRmLbuuC2B6ku8GYr2LW68XL4vVnMHNOeJLrMC61l0l9hUK01o7DKAF
         0XXQ==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30007-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30007-linux.lists.archive=gmail.com@lists.openwall.com"
Return-Path: <oss-security-return-30007-linux.lists.archive=gmail.com@lists.openwall.com>
Received: from second.openwall.net (second.openwall.net. [193.110.157.125])
        by mx.google.com with SMTP id w4-20020a05622a134400b00434ecf9f456si1584692qtk.574.2024.04.11.08.05.30
        for <linux.lists.archive@gmail.com>;
        Thu, 11 Apr 2024 08:05:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of oss-security-return-30007-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30007-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30007-linux.lists.archive=gmail.com@lists.openwall.com"
Received: (qmail 10074 invoked by uid 550); 11 Apr 2024 15:05:06 -0000
Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:oss-security@lists.openwall.com>
List-Help: <mailto:oss-security-help@lists.openwall.com>
List-Unsubscribe: <mailto:oss-security-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:oss-security-subscribe@lists.openwall.com>
List-ID: <oss-security.lists.openwall.com>
Reply-To: oss-security@lists.openwall.com
Delivered-To: mailing list oss-security@lists.openwall.com
Delivered-To: moderator for oss-security@lists.openwall.com
Received: (qmail 23857 invoked from network); 11 Apr 2024 14:57:05 -0000
Authentication-Results: mail.absynth.de;
	auth=pass smtp.auth=info@christopher-kunz.de smtp.mailfrom=info@christopher-kunz.de
Message-ID: <052779d0-a3c3-4691-9491-08520952ca8e@christopher-kunz.de>
Date: Thu, 11 Apr 2024 16:56:56 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: oss-security@lists.openwall.com
References: <607d5716-128f-44c5-ab52-6dde4ca6e8a4@christopher-kunz.de>
 <b701b525-0c42-4b3a-a1a3-0ea68e864fbe@christopher-kunz.de>
 <20240411140654.GA24980@openwall.com>
From: "Dr. Christopher Kunz" <info@christopher-kunz.de>
Autocrypt: addr=info@christopher-kunz.de; keydata=
 xsDiBD3U55kRBADKaqmPY/RBZ0luAFvOsa2lqQN8qXEimlCrbe0+WWywWDYNO/0c5B1FhUt2
 heF12OV9u1ldDdynB/awdV3NYaoizce86XQzQGcPpIOlEgI9iTTc1FSP9zDkkljLMrMB8WGK
 Q8WH6yLT+BOTIoK/rMs9DEN0hcsxOZY1wTEzhOfewwCg/7fHkook6P1/O/iOG3k/r90Um98D
 /AvzlFtPaRn5qiCWjeopDW1RAJNLvWwKs1HHv8m1UOtMNisqObD3SuHn9lp4FfGAu7gaJoqI
 /l6Rk02dgmBq+gyV+qg8PYXMlhh0xEfEO/TPPjx+nZnDRvO59tOj0pg2GLpIvQtdlwow1Iq4
 r2XfHUk1b827GZGAg1+ckkkNSG24A/9l238stiojp+GYwpuYkGrxROSYX+0slzRc40DHjtrb
 Jidz2Usmilyvt5WA1iBmAKw3L2TLQKpLtxAkGWSrDfdnl38VrYGMEM6WVctY6TxrqzrQLhaw
 W+17goNN73S3uP3C0YrdVjZc5jl0xlfli4zP7HmxL1YyRlLQ22aVcdDmS80rQ2hyaXN0b3Bo
 ZXIgS3VueiA8aW5mb0BjaHJpc3RvcGhlci1rdW56LmRlPsJ4BBMRAgA4AhsDBgsJCAcDAgMV
 AgMDFgIBAh4BAheAFiEEyIKO0X3RkBHAiOpQXPou6zl6ysEFAmWdKLICGQEACgkQXPou6zl6
 ysEHsQCfeqMRH0HyzVzl6XyNrxXdi0kSacYAnjXCcViWthCxB04fgluoiFw7b02TzsFNBD3U
 55kQCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoBp1ajFOmPQFXz0AfGy0OplK33
 TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnhV5JZzf24rnRPxfx2vIPFRzBhznzJZv8V
 +bv9kV7HAarTW56NoKVyOtQa8L9GAFgr5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxb
 LY7288kjwEPwpVsYjY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obE
 AxnIByl6ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7AAICB/97dSwj
 NNOvwX1CYynQFaXrajIBF9fSZcOJNZ5vh/+ejkl2nobkQicbI97dKYttanBaF4O//lPjNcbO
 iXkiqEI8FQPyp5I+KIkVy6MiNM09zd0qHVwlihok2JG5wSGXfUsXjk3iPsxIVhWZSrB2q0By
 Av95xcvUtxQl5cCGGqTxBIsGjiN4wkDS0FNXFH2hOuH5pCl+cbDdZmYTc1O+aeSygvLN76gs
 tBgDODp8p2Fiu7RL99SRLTIHdniSvOr/bm4BDRYY0D6P/MoZQydZPMmZAOv3qnOkPox/9e5/
 zP8cmLm08gbez8wjfl6Rl5OjngTIatupEWXZK022C2+LJBeFwkwEGBECAAwFAj3U55kFGwwA
 AAAACgkQXPou6zl6ysHXxgCgw8C3Y9WTlhK6j3KgyciAF6X+odsAnja8RhnAa3HRM8YZbeaW
 DC6HBdDe
In-Reply-To: <20240411140654.GA24980@openwall.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [oss-security] New Linux LPE via GSMIOC_SETCONF_DLCI?

Hi,

> There are two exploits in Yurii's repo above, according to Yurii for two
> different bugs.  The above is one of them.  Perhaps also try the other?
The two exploit versions are for different kernels. The 6.5 exploit 
doesn't compile on the Debian 12 6.1 kernel, and no Debian version 
currently distributes a 6.5 kernel, AFAICT. I used 
ExploitGSM_5_15_to_6_1/ExploitGSM and it worked.
> I don't know, and apparently it'd need to be two CVEs for two bugs that
> Yurii exploits.
Possibly. I'm definitely out of my depth trying to analyze which bugs 
are being exploited.
> CVE-2023-52564: Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux"
> https://lists.openwall.net/linux-cve-announce/2024/03/02/54
>
> Maybe CVE-2023-52564 is one of the bugs Yurii exploits, or maybe not.
> I didn't look into this closely enough to tell.

Apparently not. Debian 12 "Bookworm" currently runs this kernel:

Linux debianexploitgsm 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 
6.1.76-1 (2024-02-01) x86_64 GNU/Linux

According to the changelog, this kernel has the fix for CVE-2023-52564 
included:
     - Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux"
(from 
https://metadata.ftp-master.debian.org/changelogs//main/l/linux-signed-amd64/linux-signed-amd64_6.1.76+1_changelog)

Still, the exploit works, so it must exploit a different issue.

Just my two cents,

--cku