Horn: Exploiting Recursion in the Linux Kernel

On the Project Zero blog, Jann Horn describes a bug Horn found that allows user space to overflow the kernel stack using the ecryptfs encrypted filesystem. That overflow can be used to elevate privileges for local users on Ubuntu systems configured for encrypted home directories. "However, the reason why I wrote a full root exploit for this not exactly widely exploitable bug is that I wanted to demonstrate that Linux stack overflows can occur in very non-obvious ways, and even with the existing mitigations turned on, they're still exploitable. In my bug report, I asked the kernel security list to add guard pages to kernel stacks and remove the thread_info struct from the bottom of the stack to more reliably mitigate this bug class, similar to what other operating systems and grsecurity are already doing. Andy Lutomirski had actually already started working on this, and he has now published patches that add guard pages: https://lkml.org/lkml/2016/6/15/1064."