A security bug in AEAD sockets

by
daroc
from LWN.net on (#75A2Q)

Security analysis firm Xint has disclosed a security bug in the Linux kernelthat allows for arbitrary 4-byte writes to the page cache, and which has beenpresent since 2017.The vulnerability hasbeen fixed in mainline kernels. A proof-of-concept script demonstrates how to use the flaw to corrupt a setuidbinary, which works onmultiple distributions, by requesting an AEAD-encrypted socket from user spaceand splicing a particular payload into it.A supplemental blogpost gives more details about the discovery and remediation.

A core primitive underlying this bug is splice(): it transfers data between filedescriptors and pipes without copying, passing page cache pages by reference.When a user splices a file into a pipe and then into an AF_ALG socket, thesocket's input scatterlist holds direct references to the kernel's cached pagesof that file. The pages are not duplicated; the scatterlist entries point at thesame physical pages that back every read(), mmap(), andexecve() of that file.
External Content
Source RSS or Atom Feed
Feed Location http://lwn.net/headlines/rss
Feed Title LWN.net
Feed Link https://lwn.net/
Reply 0 comments