[HN Gopher] A reference counting bug which leads to local privil...
___________________________________________________________________
A reference counting bug which leads to local privilege escalation
in io_uring
Author : todsacerdoti
Score : 58 points
Date : 2021-06-21 18:41 UTC (4 hours ago)
(HTM) web link (flattsecurity.medium.com)
(TXT) w3m dump (flattsecurity.medium.com)
| jandrese wrote:
| Strangely the Redhat bug tracker listed in the CVE has this issue
| closed with "NOTABUG". I guess it's not technically Redhat's
| problem?
|
| https://bugzilla.redhat.com/show_bug.cgi?id=1873476
| wereHamster wrote:
| > The affected code was not introduced into any kernel versions
| shipped with Red Hat Enterprise Linux making this vulnerable
| not applicable to these platforms.
|
| Might explain the strange status.
| [deleted]
| saagarjha wrote:
| It would be nice if the title mentioned what was affected,
| perhaps something like "CVE-2021-20226: io_uring privilege
| escalation via reference counting bug".
| mhh__ wrote:
| So HN should be optimized for people who don't click the link?
| marshray wrote:
| Perhaps the titles at least should be optimized for people
| deciding whether to click the link.
| hsbauauvhabzb wrote:
| If anything, [GNU/Linux] would be more relevant.
| dang wrote:
| That's easy. We don't need CVE numbers in titles. The
| information is trivially available to anyone who needs it.
|
| (Submitted title was "CVE-2021-20226 a reference counting bug
| which leads to local privilege escalati".)
| secondcoming wrote:
| The actual code bug:
|
| https://bugzilla.redhat.com/show_bug.cgi?id=1873476#c16
| edoceo wrote:
| Here's the CVE
|
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2022...
|
| For some reason the article don't link there :(
| e12e wrote:
| Thank you. But CVE seems to disagree with the headline?
|
| > The highest threat from this vulnerability is to data
| integrity, confidentiality and system availability.
|
| Or is this more of a "read/modify /etc/shadow or /sbin/su" kind
| of thing?
| tptacek wrote:
| As I read it: it's a kernel UAF; memory corruption, in the
| context of the kernel. There's a secondary attack vector
| related to the refcount mishandling, where you can obtain
| control of file table entries after an `execve`, even if you
| exec a SUID, which is also bad.
| amerine wrote:
| Any idea what the diagrams were generated with? It looks
| graphviz-y to me.
| sva_ wrote:
| For a moment, I thought 'escalati' (in the title of the
| submission) was some kind of professional term that had so far
| evaded me. It sounds pretty elegant. But of course, the title was
| just cut off. Almost disappointing.
| jtbayly wrote:
| escalati: plural of escalatum
|
| OR
|
| escalati: The beings who control the illuminati
| hospadar wrote:
| Escalati: the secretive guild of hereditary escalator engineers
| who maintain the escalators in the Illuminati's secret volcano
| lair (escalator reliability engineering is a major concern when
| world leaders are frequently escalating over giant cauldrons of
| molten lava)
| dcminter wrote:
| The same - though I read it as being a tongue-in-cheek plural
| for escalation in a security context. Perfect for high-falutin'
| conference papers!
| edoceo wrote:
| pwn2own: escalati the boxen!
| microtherion wrote:
| The Escalati - a secret society controlling the world by means
| of privilege escalation.
| 988747 wrote:
| As opposed to Iluminati, who try to do the same with smart
| lightbulbs?
| loopz wrote:
| Have we lightened up yet?
| [deleted]
| Lammy wrote:
| You got it backwards. Remember that when people say
| "illuminati" they are speculating about occultists, not about
| illumists.
| tptacek wrote:
| Further grist for the mill about the effectiveness of seccomp-
| style filtering for multitenant Docker, since it's unlikely
| anyone was filtering out `io_uring_setup`.
___________________________________________________________________
(page generated 2021-06-21 23:00 UTC)