Yet another Dirty Frag type vulnerability: Fragnesia

by
jzb
from LWN.net on (#75KC9)

Sam James has sent an announcementto the OSS Security mailing list about anotherlocal-privilege-escalation (LPE) exploit in the same class as Dirty Frag, called"Fragnesia". From the disclosure:

This is a separate bug in the ESP/XFRM from dirtyfrag which has received its own patch. However, it is in the same surface and the mitigation is the same as for dirtyfrag.

It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem toachieve arbitrary byte writes into the kernel page cache of read-onlyfiles, without requiring any race condition.

James noted that there is a patchin the works, but it has not yet been pulled into Linus Torvalds'stree nor into any of the stable kernels. A proofof concept exploit is also available.

External Content
Source RSS or Atom Feed
Feed Location http://lwn.net/headlines/rss
Feed Title LWN.net
Feed Link https://lwn.net/
Reply 0 comments