Received: by 2002:a05:6500:1b45:b0:1f5:f2ab:c469 with SMTP id cz5csp421014lqb; Tue, 16 Apr 2024 23:19:50 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXpPRv4Ji3TJxIvQC6Oto9tHpRcjfhjQJ482bDpGJlLl8Ri7eVCcbag20fVMNNPS81O1Y1FmxyUvI7/eGnhNOcrOKVZzcoiSnzzUuSKmA== X-Google-Smtp-Source: AGHT+IE7THKSGA1Xk3XMamZzKOl88kI+JsXaXS4MgNULZg6wBus8D9zaA+5BRGB1xWSapD7Vwk09 X-Received: by 2002:a0c:cb92:0:b0:69b:4cc9:8735 with SMTP id p18-20020a0ccb92000000b0069b4cc98735mr15962903qvk.61.1713334790783; Tue, 16 Apr 2024 23:19:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713334790; cv=none; d=google.com; s=arc-20160816; b=D28YHvOenkOxV8BAWNUChAVX0BpTgPWgH1oG3kFdfPcvEZ2JefBCzdxKCfurqmK0rR UFwcQ6n9xzgrvHToyjj0HjKevj+JGXxmngT3mdrXoHuHN3aMJrLiLHv2asGXwglp7OZp zfIT0j8FT60DzaPq9hUWQuVLkcaQtRpbonpa8v7kqtZP/4W0kAn2I8c2JjOvDynZfYdd E/PTerhRDbSZ3mXKcrbKPUNICNk20CSBjc7UQBNlulEZqxWmGC3hxalsRr2XKhRmicvT tSJR96qrGSRmMA5lcFhqsGcEGrEm+kXC0mUIxtbjAMf8jmGqU1E/9+S73autK1HOgq5n Kxqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:in-reply-to:content-disposition:mime-version:references :message-id:to:from:date:feedback-id:dkim-signature:dkim-signature :delivered-to:reply-to:list-id:list-subscribe:list-unsubscribe :list-help:list-post:precedence:mailing-list; bh=ez/EQH1OLAhZDK6aDbi6VfLyTzy43QpmkqENgD2jzyc=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=qZ9vfz5qBQENS185jUZFNIfRFxpmJZP0fQ1V3vxw3oaOMfDQb81UvyhQ3p25gz9a4i Kh0p3uCt0FenaU6wGGkrGTjhYxDvfs+fvSDS65Ie8u2fLEmynZR6qoZkJIc2yyymFRjT fkjzQ8fCECz+cLlPAxqbiKorD3xUqXG6eL9Ps3GhdLLGHttqymo7c8uoY8hMaA1ROF/E NsJaEYq3g2enVARbkYxdHELIdCKcGU+cmhvTTUW86O/pRIAyUc6GBk2EfhJ6c8Kg/vBC +FQ3N8bZpyEK3Fr84kCrlntFj2OEu7m2+R6R8V9gWX6FQR+2xGPKrNL0vJPfyVCgF4QQ M62Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@kroah.com header.s=fm3 header.b=uczl5ci+; dkim=fail header.i=@messagingengine.com header.s=fm3 header.b=XdCkMcFW; spf=pass (google.com: domain of oss-security-return-30038-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30038-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kroah.com Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id a4-20020a0ccdc4000000b0069b445bcb3fsi5440062qvn.129.2024.04.16.23.19.50 for ; Tue, 16 Apr 2024 23:19:50 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30038-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=fail header.i=@kroah.com header.s=fm3 header.b=uczl5ci+; dkim=fail header.i=@messagingengine.com header.s=fm3 header.b=XdCkMcFW; spf=pass (google.com: domain of oss-security-return-30038-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30038-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kroah.com Received: (qmail 28269 invoked by uid 550); 17 Apr 2024 06:19:30 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Received: (qmail 28248 invoked from network); 17 Apr 2024 06:19:29 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kroah.com; h=cc :content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1713334759; x=1713421159; bh=ez/EQH1OLA hZDK6aDbi6VfLyTzy43QpmkqENgD2jzyc=; b=uczl5ci+Nu9utWdrJfia+Nsarw JDrDNC9ASeiiJOU4gcMuPb28l+zugMwJsqp2lzyikc5c8J7a2Egi8ZJCkkNH+1cP 1rh8nGJnMt4Dznub7gI1LUsGEsZsNM6CWCXRuhXDc9PYXmyxBbhFMXoLVOMfmWqY 4lzUngh70isS2UVcvaD50Y8B+HWa88D6gRKewJtA3oOHJcVTgG+4WSsJXd6X7Lf7 y7OHeWBvBtfRSIS0xaq86EiC5oRUObeCTQeyieFq+PJoNns+96rUwAt04GKG/78s kULJhhjylLHTx8U9f5sHSloj5K2/FghIpsW5er46vVcur4HFRpQ1vdux9E+A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1713334759; x=1713421159; bh=ez/EQH1OLAhZDK6aDbi6VfLyTzy4 3QpmkqENgD2jzyc=; b=XdCkMcFWrrmpcQ+b1dvUGw4v8BgWcQzZ1DjJuvAWaby1 Dnk0aMIa9ApF2B+Dc/o8PY2wrBzSO2ALuxwbgalZHH2LjGE+F2oUUwu9aeEM9h0O d19H9fo/J6+TDQ8ODUC3xpdWtjkk6yUm2FSLww10Q5rTpdUbNeQA2K6qMiH7LyY5 BqPVLzthabw/6B4ORB3dE7ysW4SMj7ihezF5DmZWVc1hEg1WJsjlaJC3FDjHMDv+ 5zviZxOTJGt6Wy5IJJGpRc8UrEACyrIOcBx+JAEDXB3lj19I5wPUD7Cq2GBHID+w pMvinMcJG+2IubG8eYbxSESJXpVPQoBnaEncv8rSrw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudejjedgleehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujgesthdtre dttddtvdenucfhrhhomhepifhrvghgucfmjfcuoehgrhgvgheskhhrohgrhhdrtghomheq necuggftrfgrthhtvghrnhepgeduudefudejleejffetgfefgeeivddtheevgeejhfefhf dtleekiedtffeftdevnecuffhomhgrihhnpehgihhthhhusgdrtghomhdpthifihhtthgv rhdrtghomhdpkhgvrhhnvghlrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrg hrrghmpehmrghilhhfrhhomhepghhrvghgsehkrhhorghhrdgtohhm X-ME-Proxy: Feedback-ID: i787e41f1:Fastmail Date: Wed, 17 Apr 2024 08:19:15 +0200 From: Greg KH To: oss-security@lists.openwall.com Message-ID: <2024041743-muskiness-agreeably-5d03@gregkh> References: <607d5716-128f-44c5-ab52-6dde4ca6e8a4@christopher-kunz.de> <20240410211457.GA20881@openwall.com> <20240416201602.GA21501@openwall.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240416201602.GA21501@openwall.com> Subject: Re: [oss-security] New Linux LPE via GSMIOC_SETCONF_DLCI? On Tue, Apr 16, 2024 at 10:16:02PM +0200, Solar Designer wrote: > On Wed, Apr 10, 2024 at 11:14:57PM +0200, Solar Designer wrote: > > On Wed, Apr 10, 2024 at 09:56:33PM +0200, Dr. Christopher Kunz wrote: > > > 1. YuriiCrimson's version (April 6-ish) > > > > > > It seems to use GSMIOC_SETCONF_DLCI, PoC supposedly works on current Ubuntu > > > and Debians, but is stopped by LKRG. > > > > > > PoC and writeup are here: > > > https://github.com/YuriiCrimson/ExploitGSM/tree/main > > > > According to YuriiCrimson: > > > > https://twitter.com/YuriiCrimson/status/1778163455075217443 > > > > "Exploit 6.4 - 6.5 using race condition in gsm_dlci_config. > > Exploit for 5.15 - 6.5. using race condition in > > gsm_dlci_open->gsm_modem_update->gsm_modem_upd_via_msc->gsm_control_wait. > > We just waiting on gsm_cobtrol_wait and restart config for make free > > dlci)). So it two zero days." > > > > > 3. ZDI-24-020 / CVE-2023-6546 (January) > > > > > > This also exploits a race condition resulting UAF in the gsm_dlci struct. > > > It's a little older. > > > > > > Writeup and PoC: https://github.com/Nassim-Asrir/ZDI-24-020/ > > > > > > What do you make of this? > > > > So it sounds like there are 3 different bugs recently found in this same > > subsystem. Perhaps someone can follow up with links to relevant commits. > > I'm puzzled by the lack of follow-ups on this, but anyway @FFFVR_ > tweeted they also found (more) vulnerabilities in the n_gsm driver: > > https://twitter.com/FFFVR_/status/1778244738833080571 There has been lots of bugs in this driver once people started running fuzzing on the code, which is why we applied the following patch last year as you mention: > Also relevant is this mainline commit from August 2023: > > tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=67c37756898a > > which is now being backported to stable/longterm kernels: It's now in the following released kernels: 4.19.312 5.4.274 5.10.215 5.15.155 6.1.86 6.6 If people are curious in helping out, here's a good summary of the issues involved from the current maintainer of the driver: https://lore.kernel.org/r/DB9PR10MB5881D2170678C169FB42A423E0082@DB9PR10MB5881.EURPRD10.PROD.OUTLOOK.COM > Subject: Backport of 67c37756898a ("tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc") to older stable series? (at least 6.1.y) > https://lore.kernel.org/stable/ZhbiWp9DexB_gJh_@eldamar.lan/ > > Since there are multiple known unfixed bugs in this driver and since it > poses unjustified risk on most systems anyway, here are some mitigations > we can apply: > > 1. At kernel build time, don't enable CONFIG_N_GSM. I recommend this one, almost no one has this hardware, it is very specialized, so unless you have hardware that requires it, don't use it. thanks, greg k-h