In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. When building a UFO packet with MSG_MORE _ip_append_data() calls ip_ufo_append_data() to append. Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. Updated version of xairy's exploit for CVE-2017-1000112. In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in net/rds/rdma.c mishandles cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference. Updated version of wbowling's exploit for CVE-2018-5333. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. Wrapper for Jann Horn's exploit for CVE-2018-18955. NOTE: SELinux deny_ptrace might be a usable workaround in some environments. Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. One contributing factor is an object lifetime issue (which can also cause a panic). In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). Updated version of Jann Horn's exploit for CVE-2019-13272. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space. Updated version of theflow's exploit for CVE-2021-22555.Ī heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |