Ancient local privilege escalation vulnerability in the kernel announced

[Posted February 23, 2017 by jake]

Andrey Konovalov has announced the discovery and fix of a local privilege escalation in the Linux kernel. Using the syzkaller fuzzer (which LWN looked at around one year ago), he found a double-free in the Datagram Congestion Control Protocol (DCCP) implementation that goes back to at least September 2006 (2.6.18), but probably all the way back to the introduction of DCCP in October 2005 (2.6.14). "[At] this point we have a use-after-free on some_object. An attacker can control what object that would be and overwrite it's content with arbitrary data by using some of the kernel heap spraying techniques. If the overwritten object has any triggerable function pointers, an attacker gets to execute arbitrary code within the kernel. I'll publish an exploit in a few days, giving people time to update."

Ancient local privilege escalation vulnerability in the kernel announced

Posted Feb 24, 2017 16:14 UTC (Fri) by stephenm (guest, #114284) [Link] (1 responses)

Interesting bug. I wonder if it has been exploited in the wild since it has been around so long. I know less used modules like these are often a security risk. I guess grsecuritys prevention of module autoloading has protected against this for quite some time. I'm a fan of the new RAP feature that would make this extremely difficult to exploit. Are there other features that mitigate exploitation of this?

Ancient local privilege escalation vulnerability in the kernel announced

Posted Feb 24, 2017 19:34 UTC (Fri) by flussence (guest, #85566) [Link]

Not compiling the code in the first place is an option. I'm not aware of an actual use case for these exotic protocols on the average desktop, but I bet most binary distros throw it in just because it's there.