omerk2511
commented
2 years ago Oh, I see a similar PR (#276) was opened by the "Secure Kernel" challenge author (to whom I disclosed this vuln first) as well. Closing.
Closed omerk2511 closed 2 years ago
omerk2511
commented
2 years ago Oh, I see a similar PR (#276) was opened by the "Secure Kernel" challenge author (to whom I disclosed this vuln first) as well. Closing.
The
pseudolssyscall does not validate thepathnamepointer, thus allowing arbitrary kernel read by calling thepseudolssyscall with an attacker-controller address. This PR tackles this issue by validating the pointer resides below theUSER_BREAKaddress.Note: This patch might still leave some exploitable conditions since on some architectures (like 32-bit x86),
pathnamemight contain a usermode address that's right behind the beginning of the kernel upper half (on x86_64 this cannot happen due to the address canonization requirement). This is a much less severe issue, and since it requires a more massive patch to completely remediate, I'll let you think if you want to tackle this scenario as well in another PR.