[HN Gopher] A reference counting bug which leads to local privil... ___________________________________________________________________ A reference counting bug which leads to local privilege escalation in io_uring Author : todsacerdoti Score : 58 points Date : 2021-06-21 18:41 UTC (4 hours ago) (HTM) web link (flattsecurity.medium.com) (TXT) w3m dump (flattsecurity.medium.com) | jandrese wrote: | Strangely the Redhat bug tracker listed in the CVE has this issue | closed with "NOTABUG". I guess it's not technically Redhat's | problem? | | https://bugzilla.redhat.com/show_bug.cgi?id=1873476 | wereHamster wrote: | > The affected code was not introduced into any kernel versions | shipped with Red Hat Enterprise Linux making this vulnerable | not applicable to these platforms. | | Might explain the strange status. | [deleted] | saagarjha wrote: | It would be nice if the title mentioned what was affected, | perhaps something like "CVE-2021-20226: io_uring privilege | escalation via reference counting bug". | mhh__ wrote: | So HN should be optimized for people who don't click the link? | marshray wrote: | Perhaps the titles at least should be optimized for people | deciding whether to click the link. | hsbauauvhabzb wrote: | If anything, [GNU/Linux] would be more relevant. | dang wrote: | That's easy. We don't need CVE numbers in titles. The | information is trivially available to anyone who needs it. | | (Submitted title was "CVE-2021-20226 a reference counting bug | which leads to local privilege escalati".) | secondcoming wrote: | The actual code bug: | | https://bugzilla.redhat.com/show_bug.cgi?id=1873476#c16 | edoceo wrote: | Here's the CVE | | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2022... | | For some reason the article don't link there :( | e12e wrote: | Thank you. But CVE seems to disagree with the headline? | | > The highest threat from this vulnerability is to data | integrity, confidentiality and system availability. | | Or is this more of a "read/modify /etc/shadow or /sbin/su" kind | of thing? | tptacek wrote: | As I read it: it's a kernel UAF; memory corruption, in the | context of the kernel. There's a secondary attack vector | related to the refcount mishandling, where you can obtain | control of file table entries after an `execve`, even if you | exec a SUID, which is also bad. | amerine wrote: | Any idea what the diagrams were generated with? It looks | graphviz-y to me. | sva_ wrote: | For a moment, I thought 'escalati' (in the title of the | submission) was some kind of professional term that had so far | evaded me. It sounds pretty elegant. But of course, the title was | just cut off. Almost disappointing. | jtbayly wrote: | escalati: plural of escalatum | | OR | | escalati: The beings who control the illuminati | hospadar wrote: | Escalati: the secretive guild of hereditary escalator engineers | who maintain the escalators in the Illuminati's secret volcano | lair (escalator reliability engineering is a major concern when | world leaders are frequently escalating over giant cauldrons of | molten lava) | dcminter wrote: | The same - though I read it as being a tongue-in-cheek plural | for escalation in a security context. Perfect for high-falutin' | conference papers! | edoceo wrote: | pwn2own: escalati the boxen! | microtherion wrote: | The Escalati - a secret society controlling the world by means | of privilege escalation. | 988747 wrote: | As opposed to Iluminati, who try to do the same with smart | lightbulbs? | loopz wrote: | Have we lightened up yet? | [deleted] | Lammy wrote: | You got it backwards. Remember that when people say | "illuminati" they are speculating about occultists, not about | illumists. | tptacek wrote: | Further grist for the mill about the effectiveness of seccomp- | style filtering for multitenant Docker, since it's unlikely | anyone was filtering out `io_uring_setup`. ___________________________________________________________________ (page generated 2021-06-21 23:00 UTC)