Headline
CVE-2014-3153: security - Re: Linux kernel futex local privilege escalation (CVE-2014-3153)
The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.
- Products
- Openwall GNU/*/Linux server OS
- Linux Kernel Runtime Guard
- John the Ripper password cracker
- Free & Open Source for any platform
- in the cloud
- Pro for Linux
- Pro for macOS
- Wordlists for password cracking
- passwdqc policy enforcement
- Free & Open Source for Unix
- Pro for Windows (Active Directory)
- yescrypt KDF & password hashing
- yespower Proof-of-Work (PoW)
- crypt_blowfish password hashing
- phpass ditto in PHP
- tcb better password shadowing
- Pluggable Authentication Modules
- scanlogd port scan detector
- popa3d tiny POP3 daemon
- blists web interface to mailing lists
- msulogin single user mode login
- php_mt_seed mt_rand() cracker
- Services
- Publications
- Articles
- Presentations
- Resources
- Mailing lists
- Community wiki
- Source code repositories (GitHub)
- Source code repositories (CVSweb)
- File archive & mirrors
- How to verify digital signatures
- OVE IDs
- What’s new
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 5 Jun 2014 08:49:50 -0700 From: Kees Cook <kees@…ntu.com> To: oss-security@…ts.openwall.com Subject: Re: Linux kernel futex local privilege escalation (CVE-2014-3153)
On Thu, Jun 05, 2014 at 06:45:45PM +0400, Solar Designer wrote:
This was handled via linux-distros, hence the mandatory oss-security posting. The issue was made public earlier today, and is included in this Debian advisory:
https://lists.debian.org/debian-security-announce/2014/msg00130.html
CVE-2014-3153
Pinkie Pie discovered an issue in the futex subsystem that allows a local user to gain ring 0 control via the futex syscall. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation.
Specifically, the futex syscall can leave a queued kernel waiter hanging on the stack. By manipulating the stack with further syscalls, the waiter structure can be altered. When later woken up, the altered waiter can result in arbitrary code execution in ring 0.
This flaw is especially urgent to fix because futex tends to be available within most Linux sandboxes (because it is used as a glibc pthread primitive).
-Kees
– Kees Cook
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.